Thank you, Craig. I checked with Fiddler, there is no redirect happening as far as I understand the output. I tried with https://www.poehlerthomas.de and I typically see a lot of "Tunnel to" entries with "CONNECT http://www.poehlerthomas.de:443
200 Connection Established ()". I tried with cache on and off, I haven't used Fiddler for a while and the result is inconclusive to me.
On the top of https://www.poehlerthomas.de is a DNN menu, and I would expect the menu entries to point to HTTP addresses. Instead, for example the "Aktuell" link points to https://www.poehlerthomas.de/language/de-DE/Aktuell. There is also an "Impressum" link, which is generated via DotNetNuke.Common.Globals.NavigateURL, and that method also generates an HTTPS link.
I am sure this is new behaviour, but I am not sure if upgrading to 9.9.1 or other stuff that I changed to add Let's Encrypt to other portals is the reason for the https links. For example I added a certificate for www.aivest.com. Everything works fine there - https links of course.
So ssl is disabled for all my sites in DNN, but all sites generate https links.