openLDAP certificates untrusted or revoked

I've already spent two days on this problem but I can't find any solution.

Two openLDAP server run from docker on different hosts in master/master scenario. ldapsearch command or syncrepl process run perfectly with ldap protocol.
Now, I want to use a valid LE certificate to enable ldaps but I've got error : TLS: peer cert untrusted or revoked (0x80002) but not from everywhere !

Versions

Docker image is based on debian:stable-slim (v11.5 when I write theses lines).
Docker hosts are up to date Debian bullseye.
slapd version is slapd 2.4.57+dfsg-3+deb11u1.

Config

/etc/ldap/ldap.conf file

TLS_CACERT  /etc/ssl/certs/ca-certificates.crt

Here my relevant slapd config in ldif format :

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcIdleTimeout: 0
olcPidFile: /var/run/slapd/slapd.pid
olcSecurity: tls=0
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
olcTLSCertificateKeyFile: /etc/ldap/ssl/key.pem
olcTLSCertificateFile: /etc/ldap/ssl/fullchain.pem
structuralObjectClass: olcGlobal
olcTLSProtocolMin: 3.1
olcServerId: 001 ldaps://ldap1.exemple.com
olcServerId: 002 ldaps://ldap2.exemple.com

# Load module
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcRootDN: cn=config
olcRootPW:: REDACTED
structuralObjectClass: olcDatabaseConfig
olcSyncRepl: {0}rid=001 provider=ldaps://ldap1.exemple.com binddn="cn=config" bindmethod=simple credentials="REDACTED" searchbase="cn=config" filter="(objectClass=*)" scope="sub" attrs="*,+" schemachecking=off type=refreshAndPersist retry="5 5 300 5" timeout=1
olcSyncRepl: {1}rid=002 provider=ldaps://ldap2.exemple.com binddn="cn=config" bindmethod=simple credentials="REDACTED" searchbase="cn=config" filter="(objectClass=*)" scope="sub" attrs="*,+" schemachecking=off type=refreshAndPersist retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE

Tests

From docker host to openLDAP guest :
From MacOS host to openLDAP guest :
From one openLDAP guest to self :
From one openLDAP guest to other openLDAP guest :

$ openssl s_client -connect ldap1.exemple.com:636
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = ldap1.exemple.com
verify return:1
---
Certificate chain
 0 s:CN = ldap1.exemple.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5112 bytes and written 392 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

So, certificat seems valid in any ways.

==========

From docker host to openLDAP guest :
From one openLDAP guest to self :
From one openLDAP guest to other openLDAP guest :

$ ldapsearch -x -LLL -d 1  -H ldaps://ldap1.exemple.com -D cn=config -W -b cn=config cn=config
ldap_url_parse_ext(ldaps://ldap1.exemple.com)
ldap_create
ldap_url_parse_ext(ldaps://ldap1.exemple.com:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap1.exemple.com:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.65.2:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x80002)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

From MacOS host to openLDAP guest with built-in ldapsearch command :
From MacOS host to openLDAP guest with homebrew ldapsearch command :

$ ldapsearch -x -LLL -H ldaps://ldap1.exemple.com -D cn=config -w REDACTED -b cn=config cn=config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcIdleTimeout: 0
olcPidFile: /var/run/slapd/slapd.pid
olcSecurity: tls=0
olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
olcTLSCertificateKeyFile: /etc/ldap/ssl/key.pem
olcTLSCertificateFile: /etc/ldap/ssl/fullchain.pem
structuralObjectClass: olcGlobal
olcTLSProtocolMin: 3.1
olcServerId: 001 ldaps://ldap1.exemple.com
olcServerId: 002 ldaps://ldap2.exemple.com

Here, certificat is only trusted from MacOS host and I don't know why.
The same behavior happen is I replace olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt by olcTLSCACertificateFile: /etc/ldap/ssl/fullchain.pem in slapd config.

I need that docker hosts and openLDAP guests recognize LE certificates to allow ldap* commands and syncrepl process works with ldaps protocols.

I know that I can add TLS_REQCERT allow in /etc/ldap/ldap.conf file. But it works only with ldap* command and not syncrepl process.

What did I miss ? What I'm doing wrong ?

PS: I edit DNS entry to ldap1.exemple.com but I use a real DNS entry an valid LE certificats (no staging ones)

Try to install the package libldap-common. It was not automatically installed as a dependency of ldap-utils in our environment. After installing the package, the error went away, and we were able to connect to an LDAP server, which uses a LetsEncrypt certificate.

If you're facing the following error, you've to install libsasl2-modules, too:

ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available: No worthy mechs found