We have a 2 server setup which started to have some ldap replica sync problems.
The 2 servers were recently upgraded to zcs 7.1.2 and the self signed certificates renewed using the admin console for all services.

After a few days we noticed that the ldap replica is not in sync with the master and generating the following in the zimbra.log:

Sep 29 00:21:47 zcs-mta slapd[4242]: @(#) $OpenLDAP: slapd 2.4.25 (Jul 6 2011 13:32:14) $ ^Iroot@zre-ubuntu10-64:/home/build/p4/HELIX/ThirdParty/openldap/openldap-
Sep 29 00:21:48 zcs-mta slapd[4243]: slapd starting
Sep 29 00:21:48 zcs-mta slapd[4243]: slap_client_connect: URI=ldap://enterprisemail.vps-host.net:389 Error, ldap_start_tls failed (-11)
Sep 29 00:21:48 zcs-mta slapd[4243]: do_syncrepl: rid=100 rc -11 retrying

Here is what i already tried:

1. resync replica with master data and restart it using these steps:
LDAP data import export - Zimbra :: Wiki

2. checked ldapsearch from replica to query the master which is working fine using TLS:
zimbra@zcs-mta:~$ ldapsearch -ZZ -x -H ldap://<masterldap>:389/ -D "uid=zimbra,cn=admins,cn=zimbra" -b "" -s base -W +

3. checked the ca.pem on both master and replica, both are self signed certs and not outdated.

4. tried copying the ca.key and ca.pem from the master to the replica and re-create the links with c_rehash but still no go.

Any ideas are much appreciated.
Thank you.