Thank you! That did it. I had to delete the old cert from cn=certificates,cn=ipa,cn=etc
Then I had to edit /etc/ipa/ca.crt on the IPA CA renewal master and remote the expired
cert. Then I ran ipa-certupdate. Then I was able to confirm that running openssl x509
-inform pem -enddate -noout -in /etc/ipa/ca.crt gave me the expected endDate of 2020.
Then I did the same on all other IPA servers. And then finally had to run ipactl restart
and all the WebUIs became accessible again. Now I'll run ipa-certupdate on all
remaining systems.
Thanks again for your help!