IPA Error 4016: RemoteRetrieveError

Failed to authenticate to CA REST API

No matter if I try to upgrade, create a replica or just click my way to "Authentication -> Certificate Authorities -> ipa" (strangely enough, just clicking "Certificate Authorities" also throws up an error, but after clicking "ok" the list populates and the only entry, "ipa" is clickable but never gets me anywhere). I'm confident that fixing this problem would at least get me along to the next step of the road.

Insofar as I understand it, there was a bug (is, in the version I'm running) causing renewal of client certificates for the CMS to somehow fail. That's consistent with what I see when running the following (output last, for those interested):
getcert list | grep -B1 -A11 CA_REJECTED

The number of certificates listed varies from server to server, with the oldest installation sporting four rejected certificates.

I've been attempting to work around the issue for several days, using every trick of every link I've found when searching for others with similar problems, the most promising of which seemed to be to allow the CMS to connect to ldap using username and password instead of a client certificate. That didn't work. Neither did "ipa-backup" followed by "ipa-restore" on a fresh container installed with identical IP and system configuration as the original one, so I'm currently at a loss.

Does anyone have any idea how I can get things working again? Pointers to related issues would also be very helpful, or shortcuts to where I can at least get the system upgraded to a version that has some sort of proper documentation.

Unsurprisingly, doing a fresh install and then immediately upgrading to 4.7.1 from the ubuntu freeipa staging ppa works flawlessly, while my systems fails.