The ipa-submit helper configures libcurl to use /etc/ipa/ca.crt for CA trust. But if the client is not IPA-enrolled via ipa-client-install (e.g. ipa-getkeytab was used to get host keytab), then this file doesn't necessarily exist. It leads to hard-to-diagnose request failures.
ipa-submit should just use the system trust store. On an IPA server or client this will include the IPA CA. But it means that it will be easier to use the IPA helper on non-IPA-enrolled machines too.
What is the use case for this? Why would you expect to use an IPA master without being enrolled as an IPA client?
Granted, with system trust now working properly passing a specific CA is probably no longer necessary.
@rcritten use case outlined in blog post: https://frasertweedale.github.io/blog-redhat/posts/2019-09-23-direct-integration-ipa-certs.html. AD-enrolled system getting certs from IPA.
to comment on this ticket.