Hello Scott,
Lots of fun things going on with the above. I experienced the same issue, and your thread
was at the top of my search results when I first started investigating. Sadly, it does not
appear that a solution was posted to it there yet, hence my reply below.
What I found:
https://access.redhat.com/solutions/4796941 This talks about disabling TLS 1.3. I
checked, and on our server 1.3 was disabled by default.
After a little more searching I found the thread below, which for me at least contained
the solution:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Reading through the thread it appears there is a conflict that can occur during updates
that can cause secretRequired in /etc/pki/pki-tomcat/server.xml to not be set correctly.
secretRequired should match secret in that file (it's in 2 different spots, so make
sure to update both).