IPA: pki-tomcatd service not starting with error DEFAULT_CA_BUNDLE_PATH Permission denied

Issue

An IPA PKI service would not start, failing with a permission error:

systemctl status pki-tomcatd@pki-tomcat
● pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat
Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d
└─ipa.conf, override.conf
Active: failed (Result: exit-code) since Thu 2025-05-29 18:15:01 PDT; 2h 36min ago
Process: 396682 ExecStartPre=/usr/sbin/pki-server upgrade pki-tomcat (code=exited, status=1/FAILURE)
Main PID: 7306 (code=exited, status=143)

May 29 18:15:01 srv1.example.test pki-server[396683]: File "/usr/lib/python3.6/site-packages/requests/api.py", line 13, in <module>
May 29 18:15:01 srv1.example.test pki-server[396683]: from . import sessions
May 29 18:15:01 srv1.example.test pki-server[396683]: File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 27, in <module>
May 29 18:15:01 srv1.example.test pki-server[396683]: from .adapters import HTTPAdapter
May 29 18:15:01 srv1.example.test pki-server[396683]: File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 61, in <module>
May 29 18:15:01 srv1.example.test pki-server[396683]: extract_zipped_paths(DEFAULT_CA_BUNDLE_PATH)
May 29 18:15:01 srv1.example.test pki-server[396683]: PermissionError: [Errno 13] Permission denied
May 29 18:15:01 srv1.example.test systemd[1]: pki-tomcatd@pki-tomcat.service: Control process exited, code=exited status=1
May 29 18:15:01 srv1.example.test systemd[1]: pki-tomcatd@pki-tomcat.service: Failed with result 'exit-code'.
May 29 18:15:01 srv1.example.test systemd[1]: Failed to start PKI Tomcat Server pki-tomcat.