In the apache error log I found this that is generated when, in the UI, I try to access Authentication > Certificates > Certificate Authorities.
[Wed Apr 03 16:33:28.439180 2024] [:error] [pid 19048] ipa: INFO: [jsonserver_session] twest@IPA.****.NET: cert_find(None, version=u'2.230'): SUCCESS [Wed Apr 03 16:33:30.661528 2024] [:warn] [pid 19601] [client IP.ADD.RE.SS:61691] failed to set perms (3140) on file (/var/run/ipa/ccaches/twest@IPA.****.NET)!, referer: https://ipa1-sea2.ipa.****.net/ipa/ui/ [Wed Apr 03 16:33:30.720054 2024] [:error] [pid 19047] ipa: INFO: [jsonserver_session] twest@IPA.****.NET: ca_find(u'', sizelimit=0, version=u'2.230', pkey_only=True): SUCCESS [Wed Apr 03 16:33:30.731584 2024] [:warn] [pid 19601] [client IP.ADD.RE.SS:61691] failed to set perms (3140) on file (/var/run/ipa/ccaches/twest@IPA.****.NET)!, referer: https://ipa1-sea2.ipa.****.net/ipa/ui/ [Wed Apr 03 16:33:30.831428 2024] [:error] [pid 19055] Bad remote server certificate: -8179 [Wed Apr 03 16:33:30.831479 2024] [:error] [pid 19055] SSL Library Error: -8179 Certificate is signed by an unknown issuer [Wed Apr 03 16:33:30.831557 2024] [:error] [pid 19055] Re-negotiation handshake failed: Not accepted by client!? [Wed Apr 03 16:33:30.831672 2024] [:error] [pid 19055] SSL Library Error: -12116 Unknown [Wed Apr 03 16:33:30.832809 2024] [:error] [pid 19048] ipa: INFO: twest@IPA.****.NET: batch: ca_show(u'ipa'): NetworkError [Wed Apr 03 16:33:30.833300 2024] [:error] [pid 19048] ipa: INFO: [jsonserver_session] twest@IPA.****.NET: batch(({u'params': ([u'ipa'], {}), u'method': u'ca_show'},), version=u'2.230'): SUCCESS
but no indication of which certificate it is complaining about. I thought maybe the IPA RA cert, but that is definitely signed by this CA and doesn't expires on 2026. The certs I generated and imported to /etc/pki/pki-tomcat/alias are also signed by the CA.