Hi all,
Came around to post the definite fix for my problem, don't know if it will help anyone
since it was all a mess.
As mentioned previously:
There's the expected "slapd-DOMAIN-IO" but I also have
a "try_ca_renew-slapd-DOMAIN-IO" dir dated from 8 of June that resembles a
copy of "slapd-DOMAIN-IO" so I was wondering if between one and other maybe
copying some files would work?
So I did this, then the error that I got on pki-tomcat/ca/debug was the old message of
peer certificate expired.
So since I had already reverted to self signed certificates I issued ipa-cert-fix command,
failed.
[root@main ~]# ipa-cert-fix
Failed to get Server-Cert
The ipa-cert-fix command failed.
Then I tried the 'ipa-cacert-manage renew' command which completed successfully.
[root@main ~]# ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage command was successful
And then all ipa services were able to start correctly (finally able to leave out both the
--skip-version-check and --ignore-service-failure):
[root@main ~]# ipactl restart
IPA version error: data needs to be upgraded (expected version
'4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4')
Automatically running upgrade, for details see /var/log/ipaupgrade.log
Be patient, this may take a few minutes.
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-ods-exporter Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful