This morning ldap tls started failing. The failure coincided with new certificates being created for out ldap servers.
This appears to be the issue:
(old cert)
```
cat /etc/acmecerts/ldap/cae12c858fa6417d8d999bfaef1c25ec/rsa-2048.crt | openssl x509 -text | grep CN
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Subject: CN = ldap-labs.eqiad.wikimedia.org
```
(new cert)
```
cat /etc/acmecerts/ldap/b547061e1e5343eaa1adfcb7de0d6ea7/rsa-2048.crt | openssl x509 -text | grep CN
Issuer: C = US, O = Let's Encrypt, CN = R3
Subject: CN = ldap-labs.eqiad.wikimedia.org
```
I have temporarily hacked the old certs back in place and disabled puppet on the following hosts:
seaborgium.wikimedia.org
serpens.wikimedia.org
ldap-replica100[1-2].wikimedia.org
ldap-replica200[3-4].wikimedia.org