TLS incomplete chain for TCP (LDAPS) proxy

I am attempting to configure Traefik 2.4.8 as a LDAPS proxy to allow SSL connections to a server that only has unsecure LDAP (port 389) configured. I have been going around in circles with this and I think I have finally nailed down the problem, but I don't know how to fix it.

I have both HTTPS (port 443) and LDAPS (port 636) entrypoints configured:

    address: ":80"
          to: "websecure"

    address: ":443"

    address: ":636"

I have an acme resolver setup for a local private CA to generate certificates. This is working perfectly for the websecure entrypoint with just the root CA certificate installed on the client machine. However, when I try to connect to the ldaps port from the same client machine with an LDAP client I get an error report of an incomplete chain. I have verified via openssl that both ports 443 and 636 are using the same certificate. There is also only one certificate entry in the Traefik server's acme.json file.

I decoded the base64 string from the certificate entry in acme.json and verified that it includes 2 certificates, one for the server and the other for the intermediate CA issuer, just as I would expect. However, it appears that Traefik is just offering up the first certificate on the TCP port. Is there an option that I am missing somewhere in the Traefik config for this?

I've been struggling with something similar and I think I found a workaround. Here's my post describing what I've learned: