Problem solved. For now. Sort of.
Thanks to https://community.theforeman.org/t/node-rb-pushfacts-certificate-verify-failure/10362/6 I tried taking out the cafile
In /etc/puppelabs/puppet/foreman.yaml comment out the ca:
---
:url: "https://foreman.my.domain"
#:ssl_ca: "/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem"
:ssl_cert: "/etc/puppetlabs/puppet/ssl/certs/foreman.my.domain.pem"
:ssl_key: "/etc/puppetlabs/puppet/ssl/private_keys/foreman.my.domain.pem"
That in itself wasn’t enough: I also “reverted” Debian’s OpenSSL-config to a looser setting. This is a Debian/OpenSSL thingy, other distros probably don’t have this problem.
In /etc/ssl/openssl.cnf, change
CipherString = DEFAULT@SECLEVEL=2
to
CipherString = DEFAULT
It’s not a pretty solution, but at least things work.