[Freeipa-users] pki-tomcat fails to start after I update CA for dirsrv and httpd.

Hi, As state in https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-... I cannot login in FreeIPA web page. So I update CA by : # delete everything except IPA CA of httpd and dirsrv certutil -d /etc/http/alias -D -n 'xxx' # ca-bundle.crt is 3 files named USERTrust, .etc. # server.all is an combination of my certificate signed by Sectigo( fomerly named Comodo). openssl pkcs12 -export -chain -CAfile ca-bundle.crt -in server.all -out Server-Cert.p12 -name "Server-Cert" # add to httpd and dirsrv. pk12util -i Server-Cert.p12 -d /etc/httpd/alias/ -n Server-Cert I restart all services by ipactl restart. But it seems pki-tomcat fails to startup. #### log of ipactcl start #### Starting pki-tomcatd Service ipa: DEBUG: Starting external process ipa: DEBUG: args=/bin/systemctl start pki-tomcatd.target ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: request POST http://wocfreeipa.sap.wingon.hk:8080/ca/admin/ca/getStatus ipa: DEBUG: request body '' ipa: DEBUG: response status 500 ipa: DEBUG: response headers Server: Apache-Coyote/1.1 Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 2208 Date: Wed, 17 Jun 2020 09:13:19 GMT Connection: close ipa: DEBUG: response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-s ...... ipa: DEBUG: Failed to check CA status: Retrieving CA status failed with status 500 ipa: DEBUG: Waiting until the CA is running #### END of log ##### Here is log of pki-tomcat ### Internal Database Error encountered: Could not connect to LDAP server host wocfreeipa.sap.wingon.hk port 636 Error netscape.ldap.LDAPException: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been marked as not trusted by the user. (-1) ### The point is ' Peer's certificate issuer has been marked as not trusted by the user.' As far as I know pki-tomcat needs a certificate to bind to 389 DS and store information. But I didn't touch CA named 'IPA CA', so basically pki-tomcatd could use its own certificate named 'substemCert cert-pki-ca' to bind to 389 DS. Please help. Thanks a lot.