Actually, trusting the certificate made everything worse.
# trust list | grep ISRG\ Root\ X1
yielded the same certificate twice, and the supplier was then unable to connect to the
consumer (or itself), yielding "unable to get issuer certificate" (so not only
when replicating, but also when using ldapsearch etc.).
To fix this, I needed to execute:
# rm /etc/pki/ca-trust/source/*.p11-kitt
# update-ca-trust
Now, I am again faced with the original problem (but luckily, only that one).