SSL is a checkbox in Directory Utility. Use Network Utility or the command line to run a port scan after enabling SSL, this to confirm which ports are open. TCP and UDP ports used by Apple software products - Apple Support LDAP shouldn't use SSL on 389, and should use SSL on 636.
Whether LE certificates makes sense here depends on a few details... Such as whether the server is exposed to the 'net. LE certificates have to be renewed every three months, and which can get to be a bit of a periodic hassle for an internal-only server.
Existing discussions of using certificates with macOS with Server.app and Open Directory that might be useful:
As for LDAP via LE SSL cert, try it. The LE certs are free and do offer SSL, and you're either going to be doing this whole renewal process manually, or you're going to need some set-up to test with it all anyway.
As for an internal-only server, I'd be tempted to run a local certificate authority chain, and loading the root public cert into the clients. No need for LE or purchased cert, if the systems are entirely internal and all the clients are either under your control, or have a secure path to load the root public cert.
If you enable SSL, you're going to absolutely want to ensure your DNS configuration is exactly right on the server, or "fun" can ensue. On a NAT'd network, using remote/public DNS is not going to play very well. Your forward—name to address—translation must produce the same host name when the IP address is then run through the reverse—address to name—DNS translation. Among other tests...
$ sudo changeip -checkhostname
Password:
dirserv:success = "success"
$
I've not tried LE certs with LDAP. I'm running private servers with private CA chains. But it should work. Given the mass deprecation of services and the product shift away from a server and into an MDM role, I'm spending less time working with Server.app, though.
And as was mentioned over in your posting of this same question at SO, including just one question to a posting does tend to work better, too:
https://apple.stackexchange.com/questions/341965/how-do-i-make-sure-macos-server -open-directory-uses-ssl