Hi Sam,
Thanks for the insight. I've deployed all IPA servers via freeipa ansible
collection, all of them defined as CAs.
I've fixed the issue for now but in a slightly different way (before your
reply):
mv /var/lib/ipa/private/httpd.key ./
mv /var/lib/ipa/certs/httpd.crt ./
ipa-getcert request
Compare the output of "getcert list -f /var/lib/ipa/certs/httpd.crt" between
your servers. Look at the "dns:" line -- is mentor missing the ipa-ca dns name?
If so you can add it with "getcert resubmit -w -f /var/lib/ipa/certs/httpd.crt
-D mentor.redacted-domain.com,ipa-ca.redacted-domain.com"