Ok so this error is related to not having libnsspem installed, but after installing it I get:

Error 60 connecting to https://sid1.leon:8443/ca/agent/ca//profileReview: Peer certificate cannot be authenticated with given CA certificates.

Can you should the contents of the raw failed certmonger request file in /var/lib/ipa/certmonger/requests? You can skip the contents of the certs, csr, etc.

id=20180221215228
key_type=RSA
key_gen_type=RSA
key_size=2048
key_gen_size=2048
key_next_type=UNSPECIFIED
key_next_gen_type=RSA
key_next_size=0
key_next_gen_size=2048
key_preserve=0
key_storage_type=FILE
key_storage_location=/var/lib/ipa/ra-agent.key
key_perms=0
key_pubkey=3082010A0282010100AC6740386281457B...
key_pubkey_info=30820122300D06092A864886F70D01...
key_generated_date=20180221215228
key_requested_count=1
key_issued_count=0
cert_storage_type=FILE
cert_storage_location=/var/lib/ipa/ra-agent.pem
cert_perms=0
cert_is_ca=0
cert_ca_path_length=0
cert_no_ocsp_check=0
last_need_notify_check=19700101000000
last_need_enroll_check=19700101000000
template_subject=O=LEON,CN=IPA RA
template_principal=host/sid1.leon
template_is_ca=0
template_ca_path_length=0
template_profile=caServerCert
template_no_ocsp_check=0
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDZTCCAk0CAQAwIDENMAsGA1UECgwETEVPTjEPMA0GA1UEAxMGSVBBIFJBMIIB
...
-----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsZ0A4Yo...
scep_tx=60284385125599101002452242483464435007338417665640849213971555576268953140332
minicert=MIIC2DCCAcACIQCFR8C4+5nAw4FJK+8earKUQzpMdtzGLzEAMrR7oQK8bDA...
state=CA_UNREACHABLE
autorenew=1
monitor=1
ca_name=dogtag-ipa-ca-renew-agent
submitted=20180221215228
ca_cookie=state=approve&requestId=7
ca_error=Error 60 connecting to https://sid1.leon:8443/ca/agent/ca//profileReview: Peer certificate cannot be authenticated with given CA certificates.
pre_certsave_command=/usr/lib/ipa/certmonger/renew_ra_cert_pre
pre_certsave_uid=0
post_certsave_command=/usr/lib/ipa/certmonger/renew_ra_cert
post_certsave_uid=0

ok so that error was due to the pki-tomcat nssdb being on sql, since the new libnss is using it by default. Downgrading libnss fixed that and I got a few steps further, but now got this:

2018-02-22T00:04:43Z DEBUG [13/28]: publishing the CA certificate
2018-02-22T00:04:43Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 506, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 496, in run_step
method()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 807, in __export_ca_chain
chain = self.__get_ca_chain()
File "/usr/lib/python2.7/dist-packages/ipaserver/install/cainstance.py", line 800, in __get_ca_chain
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
RuntimeError: Unable to retrieve CA chain: [Errno 111] Connection refused

and that error is just due to a racy certserv restart, 'systemd is-active' returns way too early on Debian, where tomcat is not initialized with systemd but an initscript .. so after adding some time.sleep() it works.

feel free to close this, thanks for the debugging session on IRC!

didn't realize I can close it myself