I think this is a cipher issue but not sure what's the best way to fix it.
Here's the relevant parts of the debug log:
6a06270d.1893657b 0x7fdd70a32700 TLS trace: SSL_connect:before SSL
initialization
6a06270d.189599e9 0x7fdd70a32700 TLS trace: SSL_connect:SSLv3/TLS write client
hello
6a06270d.1895c248 0x7fdd70a32700 TLS trace: SSL_connect:error in SSLv3/TLS
write client hello
6a06270d.1895e146 0x7fdd70a32700 ldap_int_tls_start: ldap_int_tls_connect needs
read
6a06270d.1895f650 0x7fdd70a32700 ldap_int_tls_start: ld 0x7fdd64000db0 29 s
999743 us to go
6a06270d.18960cd2 0x7fdd70a32700 ldap_int_poll: fd: 13 tm: 29
6a06270d.19506ebf 0x7fdd70a32700 ldap_is_sock_ready: 13
6a06270d.195101f9 0x7fdd70a32700 ldap_ndelay_off: 13
6a06270d.1951816b 0x7fdd70a32700 TLS trace: SSL_connect:SSLv3/TLS write client
hello
6a06270d.19559d12 0x7fdd70a32700 TLS trace: SSL_connect:SSLv3/TLS read server
hello
6a06270d.1956362d 0x7fdd70a32700 TLS trace: SSL_connect:TLSv1.3 read encrypted
extensions
6a06270d.1957837a 0x7fdd70a32700 TLS trace: SSL_connect:SSLv3/TLS read server
certificate request
6a06270d.195af125 0x7fdd70a32700 TLS certificate verification: depth: 2, err:
0, subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority,
6a06270d.195b3872 0x7fdd70a32700 issuer: /C=US/
ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority
6a06270d.195ce954 0x7fdd70a32700 TLS certificate verification: depth: 1, err:
0, subject: /C=US/O=Internet2/CN=InCommon RSA Server CA 2,6a06270d.195d0666
0x7fdd70a32700 issuer: /C=US/ST=Ne
w Jersey/L=Jersey City/O=The USERTRUST Network/C
N=USERTrust RSA Certification Authority
6a06270d.195e1da8 0x7fdd70a32700 TLS certificate verification: depth: 0, err:
0, subject: /C=US/ST=New Jersey/O=Rutgers, The State University of New
Jersey/CN=ldap-master-vip.rutgers.edu,6a
06270d.195e3afd 0x7fdd70a32700 issuer: /C=US/O=
Internet2/CN=InCommon RSA Server CA 2
6a06270d.195e72e0 0x7fdd70a32700 TLS trace: SSL_connect:SSLv3/TLS read server
certificate
6a06270d.195f2c6d 0x7fdd70a32700 TLS trace: SSL_connect:TLSv1.3 read server
certificate verify
6a06270d.19600f87 0x7fdd70a32700 TLS trace: SSL_connect:SSLv3/TLS read finished
6a06270d.196035f3 0x7fdd70a32700 TLS trace: SSL_connect:SSLv3/TLS write change
cipher spec
6a06270d.1965f8fe 0x7fdd70a32700 TLS trace: SSL_connect:SSLv3/TLS write client
certificate
6a06270d.19748f81 0x7fdd70a32700 TLS trace: SSL_connect:SSLv3/TLS write
certificate verify
6a06270d.19753ca0 0x7fdd70a32700 TLS trace: SSL_connect:SSLv3/TLS write finished
6a06270d.19762de6 0x7fdd70a32700 ldap_sasl_interactive_bind: user selected:
EXTERNAL
6a06270d.19765125 0x7fdd70a32700 ldap_int_sasl_bind: EXTERNAL
6a06270d.19dfb970 0x7fdd70a32700 ldap_int_sasl_open:
host=ldap-master-vip.rutgers.edu
6a06270d.19e14381 0x7fdd70a32700 ldap_sasl_bind
6a06270d.19e17d67 0x7fdd70a32700 ldap_send_initial_request
6a06270d.19e18fdd 0x7fdd70a32700 ldap_send_server_request
6a06270d.19e1a390 0x7fdd70a32700 ber_scanf fmt ({it) ber:
6a06270d.19e1b59c 0x7fdd70a32700 ber_scanf fmt ({i) ber:
6a06270d.19e1c0fb 0x7fdd70a32700 ber_flush2: 26 bytes to sd 13
6a06270d.19e22270 0x7fdd70a32700 ldap_free_request (origid 2, msgid 2)
6a06270d.19e23937 0x7fdd70a32700 ldap_free_request_int: lr 0x7fdd64135380 msgid
2 removed
6a06270d.19e24c5a 0x7fdd70a32700 ldap_do_free_request: asked to free lr
0x7fdd64135380 msgid 2 refcnt 0
6a06270d.19e260d2 0x7fdd70a32700 ldap_free_connection 0 0
6a06270d.19e2710d 0x7fdd70a32700 ldap_free_connection: refcnt 1
6a06270d.19e27b7d 0x7fdd70a32700 ldap_msgfree
6a06270d.19e29251 0x7fdd70a32700 slap_client_connect:
URI=ldap://ldap-master-vip.rutgers.edu/ ldap_sasl_interactive_bind_s failed (-1)
6a06270d.19e340f0 0x7fdd70a32700 ldap_free_connection 1 1
6a06270d.19e363a1 0x7fdd70a32700 ldap_send_unbind
6a06270d.19e3710a 0x7fdd70a32700 ber_flush2: 7 bytes to sd 13
6a06270d.19e3fc48 0x7fdd70a32700 ldap_free_connection: actually freed
6a06270d.19e52801 0x7fdd70a32700 do_syncrepl: rid=101 rc -1 retrying (9 retries
left)
and if you look at the certs, in the old one I see
Signature Algorithm: sha384WithRSAEncryption
and the new one (just a renewal) is
Signature Algorithm: sha256WithRSAEncryption