ipa-server-certinstall will start tracking on any certificates it loads assuming that IPA provides a CA. It is extremely unlikely that certmonger will know how to renew such a certificate so the tracking is bound to fail.
As per discussion on #freeipa, I tried to install a 3rd party SSL certificate by following instructions on wiki page at http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP:
Directory Manager password: Enter private key unlock password: Command /usr/bin/certutil' '-d' '/etc/httpd/alias' '-D' '-n' 'Server-Cert returned non-zero exit status 255
After this I was unable to start httpd service, error_log revealed the following error messages:
[Wed Nov 25 18:15:44.262751 2015] [:error] [pid 22124] Certificate not found: 'Server-Cert'
In order to resurrect the service I had to change NSSNickname in /etc/httpd/conf.d/nss.conf to match the new certificate's nickname.
[root@shdc01 ~]# yum list installed | grep ipa-server
ipa-server.x86_64 4.1.0-18.el7.centos.4 @updates
[root@shdc01 ~]# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
It turned up that it wasn't a full resurrection either as I couldn't get into Authentication tab in FreeIPA UI - I kept getting the following error message: "Unable to communicate with CMS (Service Unavailable)".
The authentication tab == certificates - which means that there is then issue with communication with dogtag.
duplicate of #4785
Metadata Update from @rcritten: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.