Hi,
After a bit more searching - my issue looks exactly like this one: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I also have the same error in /var/log/pki/pki-tomcat/kra/system:
0.ajp-bio-127.0.0.1-8009-exec-1 - [20/Sep/2019:00:04:55 CEST] [6] [3] Cannot authenticate agent with certificate Serial 0x7 Subject DN CN=IPA RA,O=IMS.DCN.TELEKOM.DE. Error: User not found
And I checked the value stored under uid=ipara, it seems to match exactly the RA cert from /var/lib/ipa/ra-agent.pem. Any other place to check...?
--- Regards, Dmitry Perets