Looks like you're running into
https://bugzilla.redhat.com/show_bug.cgi?id=1780782
The fix wasn't backported to the ipa-4.6 branch.
Try retrieving the CSR from certmonger as suggested in the BZ.
I tried that, bot no change:
# grep -A 19 csr /var/lib/certmonger/requests/20210601131824
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQ
QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3yd
DSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvN
YfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i
6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0N
RgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWI
pb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eo
Dh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAx
ADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNV
HSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNV
HQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEB
AH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh
0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULC
BG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yM
zHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EE
Tl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv
0DU4gR7eTcjzO7TcKELQnBs=
-----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcIVkHdf/e6Ad8nQ0kKjs92ZQTNA8oAVn5VoG5zFbKn/xx6cPpA2XquZkSetv+tv3p3tufxOkLmDjrzWH8HCXWqhkUYVy5VEWLCoHl8pivGOfPv/e/sj+GEXtf0BMNDKIDMGP/qL9gTiMvoujprGYbiL+mYDxF6jKl4JvVT9PNrrsB9Hi7utPh+LLVa/QbBbwusDm9zepyCKXdDUYIzExVDy8gVqsNUe6vncmjXBg1Ih8nGCzt6v/BfWEMjhlQv2NabIFx990b7hJFiKW/Bh45qkj6TFgafBIWbF3OoOI7w+LA+8JQpSyib8//l6t41cZBPpDzDteC0VPnqA4e3OtzAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEANLPk6UZoMcMh1HC+0aUOPqpxfNbenr4Vy32ieKuUZYdESXlKdutuIZStCAGobduEEABpQg9hj54R3l8ruFTGdNy+Yd4vXglDFfYUtHid0VV0PTy9DF7pa2brWR6OMysR9EquR4eAWvTIwF6oFFz+b/5FBY6mQa67DPiK7gVd4a39JolPGpMmvxXrCgIF3008jtlhsZwkNosFkHYwMryqLoNwi2I9mPqOv/ZeGq6ymHMi+P7IZnsKqt16sZQJXLpAbnKpc9RiJSxYrDGUB6O0wbqkyjaTrFMLHbM+xSJxN66OoUAkd80mYvS2xEYeqm5IqtoG2uTjo3z5RbKiaOHfrw==
Then, added
ca.cert.sslserver.certreq=MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3ydDSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvNYfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0NRgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWIpb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eoDh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAxADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEBAH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULCBG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yMzHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EETl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv0DU4gR7eTcjzO7TcKELQnBs=
to /etc/pki/pki-tomcat/ca/CS.cfg, then run:
# ipa-cert-fix
WARNING
ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA. It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
Dogtag sslserver certificate:
Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
Serial: 23
Expires: 2021-06-08 16:53:15
IPA IPA RA certificate:
Subject: CN=IPA RA,O=RHELENT.LAN
Serial: 21
Expires: 2021-06-08 16:52:45
Enter "yes" to proceed: yes
Proceeding.
Command 'pki-server cert-fix --ldapi-socket /var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver --extra-cert 21' returned non-zero exit status 1
The ipa-cert-fix command failed.
[root@freeipa ca]# pki-server cert-fix --ldapi-socket /var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver --extra-cert 21
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Fixing the following system certs: ['sslserver']
INFO: Renewing the following additional certs: ['21']
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Creating a temporary sslserver cert
INFO: Getting sslserver cert info for ca
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: Getting sslserver cert info for ca
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ERROR: Unable to find CSR for sslserver cert
thanks
Marc