Thank you Fraser - you hit the nail on the head!
I had used openssl to create my Root CA and then an Intermediate CA following the guides
at:
https://jamielinux.com/docs/openssl-certificate-authority/
In that guide the extension for the intermediate is for pathlen:0 so I either need to
change that to 1 or to sign the FreeIPA CSR using the Root certificate I generated with
openssl.
basicConstraints = critical, CA:true, pathlen:0
Many thanks for your help and I hope this questions helps someone in future.