It didn't fail on the subsystem certificate, it failed on the TLS
certificate for the CA itself (it seems). You can check that with:

getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca"


Here's the output:

[root@freeipa ca]# getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca"
Number of certificates and requests being tracked: 9.
Request ID '20210601131824':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to server.
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=RHELENT.LAN
subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
expires: 2021-06-08 16:53:15 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes





 
If it expires in 2023 then you're ok with the CA anyhow.


Listed as expiring in 2021.  Can I force this to be re-issued?

Thanks
Marc