There got to be a bug in the univention-join script.
The folder "/etc/univention/ssl" is renamed during the domain join process.
Howeverin the download_host_certificate subroutin are the folder "/etc/univention/ssl/hosname.domainname" with the symbolic link "/etc/univention/ssl/hosname" never re-created.
The subsequent call to univention-scp is failing due to the missing folder and link.
I have added these lines at the start of the download_host_certificate subroutin.
ln -s "/etc/univention/ssl/$hostname.$domainname" "/etc/univention/ssl/$hostname"
I am still not sure if this is the best location but it serves the purpose.