Nevermind, it appears there may be some minimum amount of time before certmonger looks at a cert, and the amount of time is greater than my 10 minutes. I'll watch the logs overnight and adjust certificate validity to be slightly longer and continue my testing. Sorry for the noise!

On Tue, Aug 30, 2022 at 5:52 PM IPA Listmail <ipalistmail@gmail.com> wrote:
client: el8
ipa server: el7

I created a cert via:
  sudo ipa-getcert request -w -v -D <san1> -D <san2> -K PUPPET/$(hostname -f)\
    -k /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem\
    -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem

Everything about the cert _appears_ to be fine. Openssl output looks normal and the puppet agent runs fine.

During testing I have radically reduced the certificate validity down to 10 minutes. The output of ipa-getcert list is:

Number of certificates and requests being tracked: 1.
Request ID '20220830202305':
       status: MONITORING
       stuck: no
       key pair storage: type=FILE,location='/etc/puppetlabs/puppet/ssl/private_keys/ip-10-0-82-56.eu-west-1.compute.internal.pem'
       certificate: type=FILE,location='/etc/puppetlabs/puppet/ssl/certs/ip-10-0-82-56.eu-west-1.compute.internal.pem'
       CA: IPA
       issuer: CN=Certificate Authority,O=DOMAIN.COM 20220829230619
       subject: CN=ip-10-0-82-56.eu-west-1.compute.internal,O=DOMAIN.COM 20220829230619
       issued: 2022-08-30 21:29:11 UTC
       expires: 2022-08-30 21:39:11 UTC
       dns: ip-10-0-82-56.eu-west-1.compute.internal
       principal name: host/ip-10-0-82-56.eu-west-1.compute.internal@DOMAIN.COM
       key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
       eku: id-kp-serverAuth,id-kp-clientAuth
       pre-save command:  
       post-save command:  
       track: yes
       auto-renew: yes

However, it never actually updates before (or after) expiration. I have tried restarting the service and rebooting. This is happening on two hosts. I see no failures in the log or anything in the log after the last resubmit command. I have manually used rekey and resubmit. Both worked fine. Using a blog post from Fraser, I tried start-tracking with --no-renew, then --renew. I looked for errors. The only thing that seem kind of odd to me is in /var/lib/certmonger/requests/20220830202305:
last_need_notify_check=20220830205312
last_need_enroll_check=20220830205312