After dealing with https://bugzilla.redhat.com/show_bug.cgi?id=1011396 , I was
finding my ipa-client-install runs failed with this error:

* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not
match the server's certificate.
* Closing connection 0
libcurl failed to execute the HTTP POST transaction, explaining:  Unable to
communicate securely with peer: requested domain name does not match the
server's certificate.

full log at http://fpaste.org/41762/87921/ , till it expires. It turns out that
the problem was in my DNS SRV records. I'm using external DNS (I couldn't come
up with a configuration where the freeipa box was a DNS server that really
worked great for my weird case) so I had to hand-create the correct records
based on the example BIND zone file the ipa-server-install gave me, and what I
did wrong was to make the target just 'id' rather than 'id.happyassassin.net'
(many thanks to ab on IRC for figuring this out). Docs I found on the SRV
format indicated that just the hostname rather than the FQDN was valid, but
apparently for freeipa purposes it has to be the FQDN. Correcting the SRV
records to point to 'id.happyassassin.net' made it happy.

ab and mkosek think ipa-client-install might be able to catch this issue and
print a more helpful error, so I'm filing this bug report to suggest that.