Found it. The error message on the ipa server (in /var/log/httpd/error_log)
was less misleading:
SSL Library Error: -12195 Peer does not recognize and trust the CA that issued
After installing the ca-certificates package and adding the
root certificate to it the problem was gone.
Thanx to everybody
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project