Revert "Point InternalTLSVncCAFile to /etc/ipa/ca.crt"

We believe this change induced a regression[1] that is further breaking TripleO TLS-Everywhere deployments. Submitting a revert patch while we investigate and work on a more robust solution.

[1] - https://bugzilla.redhat.com/show_bug.cgi?id=1743485

This reverts commit ade09f3a34.

Change-Id: I1d8a3ec6655598f456736dbfdcdff0ca7d963288

deployment/nova/nova-libvirt-container-puppet.yaml

@@ -102,7 +102,7 @@ parameters:
     type: string
     description: Specifies the CA cert to use for NBD TLS.
   InternalTLSVncCAFile:
-    default: '/etc/ipa/ca.crt'
+    default: '/etc/pki/CA/certs/vnc.crt'
     type: string
     description: Specifies the CA cert to use for VNC TLS.
   InternalTLSQemuCAFile:

deployment/nova/nova-vnc-proxy-container-puppet.yaml

@@ -51,7 +51,7 @@ parameters:
                  enable TLS transaport for libvirt VNC and configure the
                  relevant keys for libvirt.
   InternalTLSVncCAFile:
-    default: '/etc/ipa/ca.crt'
+    default: '/etc/pki/CA/certs/vnc.crt'
     type: string
     description: Specifies the CA cert to use for VNC TLS.
   LibvirtVncCACert:

releasenotes/notes/nova_point_InternalTLSVncCAFile_to_ipa_ca-23830eab2b91fdf8.yaml

@@ -1,10 +0,0 @@
----
-fixes:
-  - |
-    In case the freeipa CA is a sub CA of an external CA the InternalTLSVncCAFile
-    requrested does not have the full CA chain and only have the free IPA
-    CA. As a result qemu which can not verify the vnc certificate sent by
-    the vnc-proxy. The issue is in certmonger as it does not return the full
-    CA chain.
-    As a workaround, until certmonger is fixed, this change points the
-    InternalTLSVncCAFile to /etc/ipa/ca.crt which has the full CA chain.