Comment 20 for bug 1647285

@dwmw2,

I figured out the issue. Long story short, freeipa (which is our CA), when we enroll a PC into the realm, it adds the freeIPA cert to /etc/ssl/certs/ca-certificates.crt like it should, however it also adds other information that it shouldn't.

This results in p11-kit-trust.so blowing parsing errors.

You can read the entire bug report here if you want.

https://pagure.io/freeipa/issue/8106