https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/478

https://gitlab.cee.redhat.com/openshift-art/rhcos-upshift/merge_requests/58

Merged

This change did not make it into the 4.1.9 release payload.  It first landed in 410.8.20190802.0, but the 4.1.9 payload uses 410.8.20190801.0.

Marking as FailedQA since the fix is not in the release-payload.

Verified with latest green 4.1 nightly - 4.1.0-0.nightly-2019-08-06-201533

```
$  oc image info -a ~/openshift-cluster-installs/all-the-pull-secrets.json $(oc adm release info -a ~/openshift-cluster-installs/all-the-pull-secrets.json --image-for=machine-os-content registr
y.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-08-06-201533)
Name:       quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ddbecdb0ea9fda3d6cea2b9d967ff1648857d67b90acf082ce4b93772bfb6fc9
Media Type: application/vnd.docker.distribution.manifest.v2+json
Created:    4d ago
Image Size: 589.6MB in 1 layers
Layers:     589.6MB sha256:c9a98447dd105fb9ab5eebbe159c2992b4ab4bf4007fed73328cf8ccd23e10cd
OS:         linux
Arch:       amd64
Entrypoint: /noentry
Labels:     com.coreos.ostree-commit=65bea761fa27fcd1c500f58987db717d1528e407838ceca039e765409269fc2e
            version=410.8.20190802.0

$ curl -Ls https://releases-rhcos-art.cloud.privileged.psi.redhat.com/storage/releases/rhcos-4.1/410.8.20190802.0/meta.json | jq '.amis[] | select(.name == "us-west-2")'
{
  "name": "us-west-2",
  "hvm": "ami-0442f7287e63fee27"
}

$ bin/kola spawn --debug -b rhcos -p aws --aws-ami ami-0442f7287e63fee27 --aws-region us-west-2 --aws-type t2.small --aws-profile openshift-dev --ignition-version v2
2019-08-07T15:02:12Z cli: Started logging at level DEBUG
2019-08-07T15:02:18Z platform/api/aws: created security group sg-0739297d1971ffd3a
Red Hat Enterprise Linux CoreOS 410.8.20190802.0
WARNING: Direct SSH access to machines is not recommended.

---
[bound] -bash-4.4$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ddbecdb0ea9fda3d6cea2b9d967ff1648857d67b90acf082ce4b93772bfb6fc9
              CustomOrigin: Provisioned from oscontainer
                   Version: 410.8.20190802.0 (2019-08-02T15:02:56Z)
[bound] -bash-4.4$ systemctl status coreos-update-ca-trust.service 
● coreos-update-ca-trust.service - Run update-ca-trust
   Loaded: loaded (/usr/lib/systemd/system/coreos-update-ca-trust.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
Condition: start condition failed at Wed 2019-08-07 15:03:26 UTC; 1min 0s ago
           └─ ConditionDirectoryNotEmpty=/etc/pki/ca-trust/source/anchors was not met
[bound] -bash-4.4$ systemctl cat coreos-update-ca-trust.service 
# /usr/lib/systemd/system/coreos-update-ca-trust.service
# This service is currently specific to Fedora CoreOS,
# but we may want to add it to the base OS in the future.
# The idea here is to allow users to just drop in CA roots
# via Ignition without having to know to run the special
# update command.
[Unit]
Description=Run update-ca-trust
ConditionDirectoryNotEmpty=/etc/pki/ca-trust/source/anchors/
# We want to run quite early, in particular before anything
# that may speak TLS to external services.  In the future,
# it may make sense to do this in the initramfs too.
DefaultDependencies=no
[Service]
ExecStart=/usr/bin/update-ca-trust
Type=oneshot
RemainAfterExit=yes
[Install]
WantedBy=basic.target
```

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2417