Another quick observation about the NEED_CSR_GEN_TOKEN|PIN...
Although I have rolled the date back, in the GUI (Authentication > Certificates) those certs are still showing as Status EXPIRED.
For example, I run keytool on /var/lib/ipa/certs/httpd.crt and valid until Oct 21 (system date is Oct 8). It's serial number a/10. In the GUI, I view 10; compare the fingerprints to make sure I'm looking at the same one, same 'valid until', but in the main list it still says EXPIRED.
Is it possible somewhere it got flagged as expired and that's blocking it's renewal?
Sean