ipa: ERROR: 'Certificate operation cannot be completed: Unable to communicate with CMS (403)

Solution Verified - Updated -

Issue

We have upgraded to RHEL-8.5 and the problem seems have changed.
Now the pki-tomcatd service continues running but we receive the following error when attempting to look at any certificates on the server, or try to delete a host with the "ipa" command line tool:
Certificate operation cannot be completed: Unable to communicate with CMS (403)'
We have tried downgrading java back down, but it behaves exactly the same way.

Trace sample:

[Thu Nov 18 13:52:31.384433 2021] [wsgi:error] [pid 175035:tid 140003921737472] [remote 10.10.10.10:47702] ipa: ERROR: non-public: HTTPError: 403 Client Error: 403 for url: https://ipaserver1.idm.example.test:443/kra/rest/config/cert/transport
[Thu Nov 18 13:52:31.384481 2021] [wsgi:error] [pid 175035:tid 140003921737472] [remote 10.10.10.10:47702] Traceback (most recent call last):
[Thu Nov 18 13:52:31.384502 2021] [wsgi:error] [pid 175035:tid 140003921737472] [remote 10.10.10.10:47702]   File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 437, in handler
...snip...

Environment

RHEL-8.5 IdM / IPA ( update from RHEL-8.4 )

ipa-server-4.9.6-6.module+el8.5.0+12660+88e16a2c.x86_64
pki-server-10.11.2-2.module+el8.5.0+12735+8eb38ccc.noarch
pki-servlet-engine-9.0.30-3.module+el8.5.0+11388+9e95fe00.noarch
pki-servlet-4.0-api-9.0.30-3.module+el8.5.0+11388+9e95fe00.noarch
pki-ca-10.11.2-2.module+el8.5.0+12735+8eb38ccc.noarch

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content