ipa-cert-fix ERROR: Unable to find CSR for sslserver cert

Issue

1. While trying to renew IPA CA subsystem cert, ipa-cert-fix fails:

# ipa-cert-fix:
Command 'pki-server cert-fix --ldapi-socket
/var/run/slapd-EXAMPLE-COM.socket --agent-uid ipara --cert sslserver
--cert subsystem --cert ca_ocsp_signing --cert ca_audit_signing
--extra-cert 33' returned non-zero exit status 1
The ipa-cert-fix command failed.

2. Running pki-server cert-fix --ldapi-socket /var/run/slapd-EXAMPLE-COM.socket --agent-uid ipara --cert sslserver --cert subsystem --cert ca_ocsp_signing --cert ca_audit_signing --extra-cert 33 returns this error:

# pki-server cert-fix --ldapi-socket /var/run/slapd-EXAMPLE-COM.socket --agent-uid ipara --cert sslserver --cert subsystem --cert ca_ocsp_signing --cert ca_audit_signing
--extra-cert 33
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Fixing the following system certs: ['sslserver', 'subsystem',
'ca_ocsp_signing', 'ca_audit_signing']
INFO: Renewing the following additional certs: ['33']
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Creating a temporary sslserver cert
INFO: Getting sslserver cert info for ca
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: Getting sslserver cert info for ca
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ERROR: Unable to find CSR for sslserver cert

3. This bug work around can be used:
   ipa-cert-fix tool fails when the Dogtag CA SSL CSR is missing from CS.cfg

4. However, here folder /var/lib/certmonger/requests contains empty files so we cannot follow the work around suggested in the above bug:

$ cd /var/lib/certmonger/requests/
$ ls -lrt
total 12
-rw-rw-rw-. 1 yank yank    0 Jul 14  2022 20180926040508
-rw-rw-rw-. 1 yank yank    0 Jul 14  2022 20180926040507
-rw-rw-rw-. 1 yank yank    0 Jul 14  2022 20180926040506
-rw-rw-rw-. 1 yank yank    0 Jul 14  2022 20180926040505
-rw-rw-rw-. 1 yank yank    0 Jul 14  2022 20180926040504
-rw-rw-rw-. 1 yank yank    0 Jul 14  2022 20180926040503
-rw-rw-rw-. 1 yank yank    0 Jul 14  2022 20180926040502
-rw-rw-rw-. 1 yank yank    0 Jul 14  2022 20180926040501
-rw-rw-rw-. 1 yank yank    0 Jul 14  2022 20180111152729
-rw-rw-rw-. 1 yank yank 8345 Dec  8  2022 20221108223858