Hi Flo and Rob, additional update.
There is discrepancy in some of cert's expire time among 4 servers, I thought maybe
another server can be candidate to be new renewal master.
The command "ipa-csreplica-manage set-renewal-master ca-ldap02" worked well,
hence "ipa config-show" on all 4 servers reads ca-ldap02 is IPA CA renewal
master.
But it's still mixer of expired and valid certs, auditSigningCert, caSigningCert and
ipaCert are expired. So on ca-ldap02 I repeated familiar process of "kill ntpd, going
back a few days, restart krb5kdc, dirsrv, httpd, CA , then certmonger" and having
error from previous update :
"Directory Server on ca-ldap02: Insufficient access: Invalid credentials"
Have a good weekend, hope to continue troubleshoot next week.