Hi all,
Came around to post the definite fix for my problem, don't know if it will help anyone since it was all a mess. As mentioned previously:
There's the expected "slapd-DOMAIN-IO" but I also have a "try_ca_renew-slapd-DOMAIN-IO" dir dated from 8 of June that resembles a copy of "slapd-DOMAIN-IO" so I was wondering if between one and other maybe copying some files would work?
So I did this, then the error that I got on pki-tomcat/ca/debug was the old message of peer certificate expired. So since I had already reverted to self signed certificates I issued ipa-cert-fix command, failed.
[root@main ~]# ipa-cert-fix Failed to get Server-Cert The ipa-cert-fix command failed.
Then I tried the 'ipa-cacert-manage renew' command which completed successfully.
[root@main ~]# ipa-cacert-manage renew Renewing CA certificate, please wait CA certificate successfully renewed The ipa-cacert-manage command was successful
And then all ipa services were able to start correctly (finally able to leave out both the --skip-version-check and --ignore-service-failure):
[root@main ~]# ipactl restart IPA version error: data needs to be upgraded (expected version '4.6.6-11.el7.centos', current version '4.6.5-11.el7.centos.4') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Restarting ipa-otpd Service Restarting ipa-ods-exporter Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful