Can you check the format of the certificate?
I have similar issues and in my case the certificate (and the chain) have the subject in
printable format. FreeIPA issues the CSR with UTF and thus there is a mismatch.
You can check the certificate like this:
openssl x509 -in ca-certificate.pem -subject -issuer -nameopt multiline,show_type -noout