tls connection failed

[dc-weizhenhua]

Environment: kubernetes

When I connected to the ldap server via ldaps, there's error below:
[root@ccebusimaster01 ~]# ldapsearch -x -H ldaps://172.16.233.44 -d1
ldap_url_parse_ext(ldaps://172.16.233.44)
ldap_create
ldap_url_parse_ext(ldaps://172.16.233.44:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 172.16.233.44:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.16.233.44:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = (null)' tlsmc_intercept_initialization: INFO: certfile = (null)'
tlsmc_intercept_initialization: INFO: keyfile = (null)' tlsmc_convert: INFO: trying to open NSS DB with CACertDir = (null)'.
tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.
tlsmc_intercept_initialization: INFO: altered options follow:
tlsmc_intercept_initialization: INFO: cacertdir = (null)' tlsmc_intercept_initialization: INFO: certfile = (null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.
TLSMC: MozNSS compatibility interception ends.
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 0, subject: /C=US/ST=New Mexico/L=Albuquerque/O=A1A Car Wash/OU=Information Technology Dep./CN=docker-light-baseimage, issuer: /C=US/ST=New Mexico/L=Albuquerque/O=A1A Car Wash/OU=Information Technology Dep./CN=docker-light-baseimage
TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=New Mexico/L=Albuquerque/O=A1A Car Wash/OU=Information Technology Dep./CN=openldap-7cbccfd875-lnk6b, issuer: /C=US/ST=New Mexico/L=Albuquerque/O=A1A Car Wash/OU=Information Technology Dep./CN=docker-light-baseimage
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS trace: SSL_connect:SSLv3 read server key exchange A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:failed in SSLv3 read finished A
TLS: can't connect: .
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

>> I find that ldaps should be FQDN，so I add entry in /etc/hosts and ldapsearch -x -H ldaps:// -d1, It was the same error still。

client ldap.conf like this:
[root@ccebusimaster01 ~]# cat /etc/openldap/ldap.conf

TLS_CACERT /etc/openldap/certs/ca.crt

TLS_REQCERT demand

SASL_NOCANON on

[adamency]

Were you by any chance able to make ldaps work from outside the container ? If so, what additional configuration did you make in order to achieve it ?