This issue is currently causing nondeterministic failures in the freeipa-server package via certmonger, which is preventing successful server installations and subsequently packaging of the full software suite.
The discussion about the problem is over in the dogtag PKI repo (https://github.com/dogtagpki/pki/issues/4334). It would be very good if this could be resolved in the main nss package. What's the reasoning for the current wontfix tag? I'm happy to put together a postinst patch for this if need be.
