I recently had the certificates I use on my FreeIPA server expire, preventing ipa from starting. So I replaced them with the new ones, and IPA still wouldn't start, whereupon after some
digging I discovered the new certificates came with new Intermediate and root certificates. So I installed those using ipa-cacert-manage, ran ipa-certupdate, and then re-installed my certificates using ipa-server-certinstall, all of which appeared to work.
However, the IPA service still won't start, with the issue apparently being that pki-tomcat isn't starting properly. Looking at the /var/log/pki/pki-tomcat/ca/debug file shows that the reason for this is:
Internal Database Error encountered: Could not connect to LDAP server host
port 636 Error netscape.ldap.LDAPException: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake
failed: (-8172) Peer's certificate issuer has been marked as not trusted by the user. (-1)
Ok, sounds simple enough, so how do I mark the Peer's certificate issuer as trusted? Thanks.