Hi Rob,
when certmonger fails to renew a cert, and PKI is running, it fails and
dogtag-ipa-ca-renew-agent-submit shows the message :
ACIError: Insufficient access: Invalid credentials
Aug 10 01:04:34 ca-ldap01 certmonger[8834]: 2018-08-10 01:04:34 [8834] Internal error
I hope to troubleshoot this, so insufficient access to where?
Again, PKI is running, with no TLS, and this command returns "HTTP/1.1 200 OK"
# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt
https://`hostname`:8443/ca/agent/ca/profileReview