Why does my 389-ds configuration work over LDAP but not LDAPS?

Sorry if this has been asked before, but when I searched for similar issues, I got results like these (that make no sense to me).

I've been trying to set up 389-ds using Red Hat's Directory Server 11 documentation on two fully-updated Rocky Linux 8.6 servers. My servers are supplier1.example.com and supplier2.example.com and are on the same subnet. I've set up each server's /etc/hosts file using their private IP and hostname, and have verified connectivity by pinging the other server's IP and hostname. Ports 389 and 636 are open for TCP. The suffixes being shared are "dc=example,dc=com.

The directory server instances were created using dscreate's interactive mode (LDAP over TCP 389, LDAPS over TCP 636, self-signed certificates, etc.). I suspect that the issue lies somewhere with those self-signed certs and a lack of trust between the two systems, but I don't know how to even begin correcting that.

Thank you for reading this.

Using the example commands below, I was able to create replication agreements...

Server 1:

sudo dsconf -D "cn=Directory Manager" ldap://supplier1.example.com replication \
    enable --suffix="dc=example,dc=com" --role="supplier" --replica-id=2 \
    --bind-dn="cn=replication manager,cn=config" --bind-passwd="password"

sudo dsconf -D "cn=Directory Manager" ldap://supplier1.example.com repl-agmt \
     create --suffix="dc=example,dc=com" --host="supplier2.example.com" --port=389 \
     --conn-protocol=LDAP --bind-dn="cn=replication manager,cn=config" \
     --bind-passwd="password" --bind-method=SIMPLE --init \
     example-agreement-supplier1-to-supplier2

Server 2:

dsconf -D "cn=Directory Manager" ldap://supplier2.example.com replication \
    enable --suffix="dc=example,dc=com" --role="supplier" --replica-id=1 \
    --bind-dn="cn=replication manager,cn=config" --bind-passwd="password"

sudo dsconf -D "cn=Directory Manager" ldap://supplier2.example.com repl-agmt \
     create --suffix="dc=example,dc=com" --host="supplier1.example.com" --port=389 \
     --conn-protocol=LDAP --bind-dn="cn=replication manager,cn=config" \
     --bind-passwd="password" --bind-method=SIMPLE --init \
     example-agreement-supplier2-to-supplier1

The documentation originally called for the replication agreement commands to use LDAPS over 636, but when I tried that replication would always fail. Here is an excerpt from running

$ ldapsearch -x -b "cn=mapping tree,cn=config" -D "cn=Directory Manager" -w  password objectClass=nsDS5ReplicationAgreement -LL

...
nsds5replicaLastUpdateStatus: Error (-2) Problem connecting to replica - LDAP error: Local error (connection error)
nsds5replicaLastUpdateStatusJSON: {"state": "red", "ldap_rc": "-2", "ldap_rc_text": "Local error", "repl_rc": "16", "repl_rc_text": "connection error", "date": "2022-05-26T21:58:31Z", "message": "Error (-2) Problem connecting to replica - LDAP error: Local error (connection error)"}
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20220526212655Z
nsds5replicaLastInitEnd: 19700101000000Z
nsds5replicaLastInitStatus: Error (-2) - LDAP error: Local error - no response received
nsds5replicaLastInitStatusJSON: {"state": "red", "ldap_rc": "-2", "ldap_rc_text": "Local error", "repl_rc": "255", "repl_rc_text": "no response received", "conn_rc": "0", "conn_rc_text": "operation success", "date": "2022-05-26T21:27:10Z", "message": "Error (-2) - LDAP error: Local error - no response received"}

I got replication to work over LDAPS by generating new self-signed certificates outside of 389-ds, and importing them on each server with the following command:

dsconf -D "cn=Directory Manager" ldap://host.domain.com security certificate add --file host_domain.com.crt --name "Server-Cert" --primary-cert .

Restarting the instances afterward resolved the issue.

NB: I have very little experience with 389-ds outside of this, so there probably is a better way to do this.