I have seen /etc/ipa/ca.crt get out of date before. It wasn't updated automatically when renewing the CA cert, though I was using 3.x versions at the time. Thankfully, it's easy to check. You can open up the Web UI and check what the expiry date is in the browser. If it matches the below, just ignore this message.We did manage to delete the certificates, all but the right one (we figured out looking at clients' /etc/ipa/ca.crt)
Successfully retrieved CA certSubject: CN=Certificate Authority,O=EXAMPLE.COMIssuer: CN=Certificate Authority,O=EXAMPLE.COMValid From: Thu Jun 01 12:55:08 2017 UTCValid Until: Mon Jun 01 12:55:08 2037 UTC
Joining realm failed: libcurl failed to execute the HTTP POST transaction. Peer certificate cannot be authenticated with known CA certificates