Hi Flo and Rob, additional update.
There is discrepancy in some of cert's expire time among 4 servers, I thought
maybe another server can be candidate to be new renewal master.
The command "ipa-csreplica-manage set-renewal-master ca-ldap02" worked well,
hence "ipa config-show" on all 4 servers
Agree Flo, making sure that I am in the past, unfortunately still not
resolution.
[root@ca-ldap01 ~]# systemctl restart krb5kdc
[root@ca-ldap01 ~]# systemctl restart dirsrv@DOMAIN-COM.service
[root@ca-ldap01 ~]# systemctl restart httpd
[root@ca-ldap01 ~]# systemctl restart pki-tomcatd@pki-tomcat
