In case the freeipa CA is a sub CA of an external CA the
InternalTLSVncCAFile requrested does not have the full CA
chain and only have the free IPA CA. As a result qemu
which can not verify the vnc certificate sent by the
vnc-proxy. The issue is in certmonger[1] as it does not return the
full CA chain.
As a workaround, until certmonger is fixed, this change points the
InternalTLSVncCAFile to /etc/ipa/ca.crt which has the full CA chain.
[1] - https://bugzilla.redhat.com/show_bug.cgi?id=1710632
Change-Id: I750c5572505ff58b8164906754f1bcaf4fd256e0
fc914e9611