That's part of our puzzle. Happy to send more output if it would be helpful.
ldapsearch connects fine:
connect success
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=directory.upenn.edu,OU=ISC: N&T - NES - Identity and Access Management (IAM),O=University of Pennsylvania,STREET=3451 Walnut Street,L=Philadelphia,ST=PA,postalCode=19104,C=US] is valid
TLS certificate verification: subject: CN=directory.upenn.edu,OU=ISC: N&T - NES - Identity and Access Management (IAM),O=University of Pennsylvania,STREET=3451 Walnut Street,L=Philadelphia,ST=PA,postalCode=19104,C=US, issuer: CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann
Arbor,ST=MI,C=US, cipher: AES-256, security level: high, secret key bits: 256, total key bits: 256, cache hits: 0, cache misses: 0, cache not reusable: 0
ldap_open_defconn: successful
even when there's an expired cert in the chain:
head pd-ldap1.certs (from this command:
openssl s_client -host pd-ldap1.net.isc.upenn.edu -port 636 -showcerts 2>pd-ldap1.certs >> pd-ldap1.certs)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
DONE
CTED(00000003)
---
Certificate chain
0 s:/C=US/postalCode=19104/ST=PA/L=Philadelphia/street=3451 Walnut Street/O=University of Pennsylvania/OU=ISC: N&T - NES - Identity and Access Management (IAM)/CN=directory.upenn.edu
i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
[0 phei@pi-haproxy2 ~]$ head -20 pd-ldap1.certs
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
DONE
CTED(00000003)