Office365 Outlook "target principal name is incorrect" error with multi-domain cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.brazoslink.net

I ran this command: Used certbot 1.32.0 to generate a multi-host SSL cert.

It produced this output: Successful completion, installed cert properly in Apache, Dovecot, etc.

My web server is (include version): Apache 2.4.33

The operating system my web server runs on is (include version): macOS 10.13.6 (High Sierra)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

Problem:
All the certs look good, I can use openssl to check every port, everything returns the valid cert. However. Office365 Outlook throws a "target principal name is incorrect" error based on the "issued to" domain, which is www.brazoslink.net. Can I fix this on my end, or is this an Outlook limitation in regard to respecting "alternative names" in SSL certs?

Hello @jlgtx, welcome to the Let's Encrypt community.

Using SSL Server Test (Powered by Qualys SSL Labs) I see this SSL Server Test: mail.brazoslink.net (Powered by Qualys SSL Labs) as a possibility as to why Office365 Outlook is having an issue.
Chain issues Incorrect order, Extra certs, Contains anchor

image1245×963 26.1 KB

@Bruce5051 Please note that SSLLabs only checks HTTPS (port 443) and not email services.

Can you please elaborate in which phase/process Office365 Outlook is giving you this error? IMAP? SMTP? Et cetera. Please provide as much info as possible. Actual error logs, screenshots, email headers, whatever.

Also an interesting DNS find using DNS Lookup - Check DNS Records
There are 2 MX DNS Records for the domain

image1282×1004 37.2 KB

And mx2.brazoslink.net isn't one of the names on the certificate.

Correct, but if they are using a poorly formed Certificate Chain one place, then possibly elsewhere they are using that poorly formed Certificate Chain.

That's in fact the case indeed, HTTPS, IMAP and SMTP somehow all include the root certificate ISRG Root X1. Dunno why, Certbot does not include the root cert.

I've updated the cert to include some missing SANs, including mx2.brazoslink.net. Seeing the same issues in the Qualys analysis, but unsure how to fix them. My cert installation process is this:

# cd /etc/letsencrypt/live/www.brazoslink.net
# openssl pkcs12 -export -inkey privkey.pem -in cert.pem -certfile fullchain.pem -out letsencrypt_sslcert.p12 -passout pass:<random passkey>
# security import letsencrypt_sslcert.p12 -f pkcs12 -k /Library/Keychains/System.keychain -P <random passkey> -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

The response I get is:

1 identity imported.
3 certificates imported.

My openssl is LibreSSL 2.2.7, could that have something to do with it? I also have OpenSSL 3.0.7 installed via MacPorts, so I could use that if it would fix the problem.

Installation to what exactly? You're running Apache, Dovecot and Postfix. All those three services don't use PKCS12.

It's macOS Server, which uses a system keychain to store certs, and handles all the various service configurations behind the scenes.

What is your Outlook configuration?
What OS is running Outlook?

And this is a Client error, correct?

One of my users, probably on Windows. Their Outlook config points to mail.brazoslink.net.

I'm not familiar with MacOS, but I'm preeeeeeeetty sure it doesn't work that way for Apache, Dovecot and Postfix? Usually they need the private key and certificate fullchain referenced in their configuration files.

Also, that's the server side of things. I'm still waiting on a detailed report of the actual error presented by Outlook and more details as I mentioned earlier.

What protocol(s)?

SMTP and IMAP

Any security?

and / or

More details are needed to understand what Outlook is doing to cause it to complain.

% openssl s_client -showcerts -connect mail.brazoslink.net:993 -servername mail.brazoslink.net
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = brazoslink.net
verify return:1
---
Certificate chain
 0 s:CN = brazoslink.net
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 14 16:32:24 2022 GMT; NotAfter: Feb 12 16:32:23 2023 GMT
-----BEGIN CERTIFICATE-----
MIIGSDCCBTCgAwIBAgISBDcLoVCZRLGjt2QLN9TbVoU3MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjExMTQxNjMyMjRaFw0yMzAyMTIxNjMyMjNaMBkxFzAVBgNVBAMT
DmJyYXpvc2xpbmsubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
sJSxgXoyxRKWvCIczSAz22mQhip4l8xGSHN8Jp2w7Y6iuMDrRCPL9oGunVZ0201E
VdIFeu790ZB6re+uH9CHRMK6PYJZB2K/yOp/R0lPtbxD3UaWH5NhAfy5JqVePyCA
Ab7X4FaTRqZPJIXRwCet4KEKbbX1bLFRCsYOch7eJWx7jz7/u4lK3LMFdHjo+Hjz
QTYDnVWTVoKIGVxesple7j+a9r5vzmbp/rFLT86Zcvcz1hFM/cJiUtctEDyVl3zT
cokyfSfhjDxsc4WBjjDcoQPwB+RapvH1ojxnV/ycOw6eZgXeNjHL2gCDIVfH8MeR
XzdAY0lhUeE1dl/89naLawIDAQABo4IDbzCCA2swDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBQMjKfymPQ9Xmj2FUZDTZym+vkOyjAfBgNVHSMEGDAWgBQULrMXt1hWy65Q
CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y
My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn
LzCCAT0GA1UdEQSCATQwggEwghdiYWNrZG9vci5icmF6b3NsaW5rLm5ldIIOYnJh
em9zbGluay5uZXSCGWNvbmZlcmVuY2UuYnJhem9zbGluay5uZXSCE2ljYWwuYnJh
em9zbGluay5uZXSCFWphYmJlci5icmF6b3NsaW5rLm5ldIITbWFpbC5icmF6b3Ns
aW5rLm5ldIIWbWVtYmVycy5icmF6b3NsaW5rLm5ldIIRbXQuYnJhem9zbGluay5u
ZXSCEm14Mi5icmF6b3NsaW5rLm5ldIIUc3RhdHMuYnJhem9zbGluay5uZXSCF3Rv
ci1leGl0LmJyYXpvc2xpbmsubmV0ghJ2cG4uYnJhem9zbGluay5uZXSCE3dpa2ku
YnJhem9zbGluay5uZXSCEnd3dy5icmF6b3NsaW5rLm5ldDBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHoyjFTY
ty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhHczDLkAAAQDAEcwRQIhAIIf
GQsecM9VFArQQaUekNnBGSBpwqZ8vAi0bVvt+/hvAiBXiMdDOltk6k6iHT+aW64z
tsJW7wCdwnHP9fMQp+MOhgB2AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr
3IKKAAABhHczDJ8AAAQDAEcwRQIgGO8dFhtyVEAE0jTgtjkxp9Auczz6K4vEdmHz
BE3QrC0CIQCaevuaji5IGsJblIz2VTDLEh7TFMVX74yoFYsJj4uALzANBgkqhkiG
9w0BAQsFAAOCAQEAGgDRD9eZo4dFANhhAMvbT3QHNK9yW+M9Ktj/iTWK3Ie0KVZE
ncRJj2KumxWAPTOgz1BhKgaMuc3cYLbZ5t1v97Ep76iSS3pSaqPJl5nzQeK+3zES
UMItEGPJzPcaxBhLtBeUonpRmWakfuQpe8Ql8iN9kVR/IY/rnGQkciWylGtkraNG
xy7655euEbOEut4tjdGbqfAqcnMVNRt/M1afWoG8/pxYuaqfuTpsTc4tDiC8jW4h
uwMJoOaarmAadZQqp/dwHWUf7Xyo8LsM8XAcTFKEBNsG2LzCikgmeViDKrgv4vGi
QC0lV8//ltGhYszL0jFyriMlL8XpK+OciltmFw==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun  4 11:04:38 2015 GMT; NotAfter: Jun  4 11:04:38 2035 GMT
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = brazoslink.net
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4989 bytes and written 451 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 149B5294C8D2E9AD6A40D30851493A0C0AF055DE1484BE3FEBF2CEA72BA43D4B
    Session-ID-ctx:
    Master-Key: 9D9330E898F98D93C6131A4591137C9FA30D0F22D9C8797D3874B1D3DCFA70FD454563FA9A72E0EFC670555871AC70B1
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ba 90 e1 19 61 4c 48 f7-8e 73 9e 4d 41 91 ee 7d   ....aLH..s.MA..}
    0010 - dc ca 84 9c c7 63 29 65-e4 4c af 6b 91 e5 d5 0e   .....c)e.L.k....
    0020 - d8 62 95 c7 69 68 49 a0-df 7e 46 63 73 01 70 47   .b..ihI..~Fcs.pG
    0030 - 1f ab 27 99 8b 09 92 01-31 55 e5 70 55 82 2a 18   ..'.....1U.pU.*.
    0040 - 65 dc fa 2b e7 60 e5 27-30 45 92 98 23 cb e8 b8   e..+.`.'0E..#...
    0050 - ae c4 b9 85 1b 6d 82 b7-34 d2 4b 12 83 b0 0b 4c   .....m..4.K....L
    0060 - df ec 63 9b 2c 50 d0 6f-6c e7 af 83 57 0a aa 59   ..c.,P.ol...W..Y
    0070 - 43 61 e8 91 03 d0 c0 04-80 ec cc 9a 57 20 23 c6   Ca..........W #.
    0080 - b1 aa 22 27 eb 86 73 72-c9 cb 40 4e 35 85 2b 9e   .."'..sr..@N5.+.
    0090 - ec 39 27 43 09 66 24 04-42 34 8c e7 21 a0 c0 d7   .9'C.f$.B4..!...
    00a0 - 9b c6 dd 55 6b 78 3d 4d-62 27 c8 3c 0a a6 41 c7   ...Ukx=Mb'.<..A.

    Start Time: 1668449279
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE XAPPLEPUSHSERVICE AUTH=CRAM-MD5 AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

% openssl s_client -showcerts -connect mail.brazoslink.net:995 -servername mail.brazoslink.net
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = brazoslink.net
verify return:1
---
Certificate chain
 0 s:CN = brazoslink.net
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 14 16:32:24 2022 GMT; NotAfter: Feb 12 16:32:23 2023 GMT
-----BEGIN CERTIFICATE-----
MIIGSDCCBTCgAwIBAgISBDcLoVCZRLGjt2QLN9TbVoU3MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjExMTQxNjMyMjRaFw0yMzAyMTIxNjMyMjNaMBkxFzAVBgNVBAMT
DmJyYXpvc2xpbmsubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
sJSxgXoyxRKWvCIczSAz22mQhip4l8xGSHN8Jp2w7Y6iuMDrRCPL9oGunVZ0201E
VdIFeu790ZB6re+uH9CHRMK6PYJZB2K/yOp/R0lPtbxD3UaWH5NhAfy5JqVePyCA
Ab7X4FaTRqZPJIXRwCet4KEKbbX1bLFRCsYOch7eJWx7jz7/u4lK3LMFdHjo+Hjz
QTYDnVWTVoKIGVxesple7j+a9r5vzmbp/rFLT86Zcvcz1hFM/cJiUtctEDyVl3zT
cokyfSfhjDxsc4WBjjDcoQPwB+RapvH1ojxnV/ycOw6eZgXeNjHL2gCDIVfH8MeR
XzdAY0lhUeE1dl/89naLawIDAQABo4IDbzCCA2swDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBQMjKfymPQ9Xmj2FUZDTZym+vkOyjAfBgNVHSMEGDAWgBQULrMXt1hWy65Q
CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y
My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn
LzCCAT0GA1UdEQSCATQwggEwghdiYWNrZG9vci5icmF6b3NsaW5rLm5ldIIOYnJh
em9zbGluay5uZXSCGWNvbmZlcmVuY2UuYnJhem9zbGluay5uZXSCE2ljYWwuYnJh
em9zbGluay5uZXSCFWphYmJlci5icmF6b3NsaW5rLm5ldIITbWFpbC5icmF6b3Ns
aW5rLm5ldIIWbWVtYmVycy5icmF6b3NsaW5rLm5ldIIRbXQuYnJhem9zbGluay5u
ZXSCEm14Mi5icmF6b3NsaW5rLm5ldIIUc3RhdHMuYnJhem9zbGluay5uZXSCF3Rv
ci1leGl0LmJyYXpvc2xpbmsubmV0ghJ2cG4uYnJhem9zbGluay5uZXSCE3dpa2ku
YnJhem9zbGluay5uZXSCEnd3dy5icmF6b3NsaW5rLm5ldDBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHoyjFTY
ty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhHczDLkAAAQDAEcwRQIhAIIf
GQsecM9VFArQQaUekNnBGSBpwqZ8vAi0bVvt+/hvAiBXiMdDOltk6k6iHT+aW64z
tsJW7wCdwnHP9fMQp+MOhgB2AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr
3IKKAAABhHczDJ8AAAQDAEcwRQIgGO8dFhtyVEAE0jTgtjkxp9Auczz6K4vEdmHz
BE3QrC0CIQCaevuaji5IGsJblIz2VTDLEh7TFMVX74yoFYsJj4uALzANBgkqhkiG
9w0BAQsFAAOCAQEAGgDRD9eZo4dFANhhAMvbT3QHNK9yW+M9Ktj/iTWK3Ie0KVZE
ncRJj2KumxWAPTOgz1BhKgaMuc3cYLbZ5t1v97Ep76iSS3pSaqPJl5nzQeK+3zES
UMItEGPJzPcaxBhLtBeUonpRmWakfuQpe8Ql8iN9kVR/IY/rnGQkciWylGtkraNG
xy7655euEbOEut4tjdGbqfAqcnMVNRt/M1afWoG8/pxYuaqfuTpsTc4tDiC8jW4h
uwMJoOaarmAadZQqp/dwHWUf7Xyo8LsM8XAcTFKEBNsG2LzCikgmeViDKrgv4vGi
QC0lV8//ltGhYszL0jFyriMlL8XpK+OciltmFw==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun  4 11:04:38 2015 GMT; NotAfter: Jun  4 11:04:38 2035 GMT
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = brazoslink.net
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4989 bytes and written 451 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 165B6838B8AA3544B9D0B51F55547D2A080536B5D167F61575E01CE1DEDB9C05
    Session-ID-ctx:
    Master-Key: DCD7F335A174806FE7637A70E88E6F1318B5F1A2BF70CA2328999187508986FEA7C434A44D850598E5D11B88D2F7EBD4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 78 b8 14 1e 0c 7a 3e dd-ce 23 48 68 9f 9a 75 2e   x....z>..#Hh..u.
    0010 - 7e b3 11 5a 3c 3c 59 36-3a 08 fa cc 75 5b 32 c9   ~..Z<<Y6:...u[2.
    0020 - 95 af 51 b1 28 61 5d f9-92 00 3f 2f ba 06 bd 79   ..Q.(a]...?/...y
    0030 - 50 b2 f1 65 d7 ce d6 8e-0b d4 42 ed be 02 aa a5   P..e......B.....
    0040 - 7a 53 de 42 c5 91 3e d7-c8 0f 45 80 f2 c0 de 03   zS.B..>...E.....
    0050 - 46 ac 30 98 c6 a1 77 0c-4f f7 55 8b 66 32 c6 c2   F.0...w.O.U.f2..
    0060 - 2c 4f 32 c0 7c ca 26 f5-07 e1 ab 33 e2 b5 21 d4   ,O2.|.&....3..!.
    0070 - 9d e6 0f 9e 20 84 f0 84-79 5a 97 8a 8b 75 d6 5d   .... ...yZ...u.]
    0080 - fb 0d 88 b0 dd 43 e5 f2-cb be f6 5c 90 27 53 fe   .....C.....\.'S.
    0090 - e3 8d f0 52 fa 25 77 d0-42 d9 da b6 ea e1 c1 53   ...R.%w.B......S
    00a0 - 05 bf 62 be 6c dc 45 03-33 93 16 99 02 28 ab 0a   ..b.l.E.3....(..

    Start Time: 1668449385
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
+OK Dovecot ready. <16b18.5.63728469.k+R1tUBam0t2tb5/puSnHQ==@kim.kairosnet.com>

% openssl s_client -showcerts -connect mail.brazoslink.net:465 -servername mail.brazoslink.net
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = brazoslink.net
verify return:1
---
Certificate chain
 0 s:CN = brazoslink.net
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 14 16:32:24 2022 GMT; NotAfter: Feb 12 16:32:23 2023 GMT
-----BEGIN CERTIFICATE-----
MIIGSDCCBTCgAwIBAgISBDcLoVCZRLGjt2QLN9TbVoU3MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjExMTQxNjMyMjRaFw0yMzAyMTIxNjMyMjNaMBkxFzAVBgNVBAMT
DmJyYXpvc2xpbmsubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
sJSxgXoyxRKWvCIczSAz22mQhip4l8xGSHN8Jp2w7Y6iuMDrRCPL9oGunVZ0201E
VdIFeu790ZB6re+uH9CHRMK6PYJZB2K/yOp/R0lPtbxD3UaWH5NhAfy5JqVePyCA
Ab7X4FaTRqZPJIXRwCet4KEKbbX1bLFRCsYOch7eJWx7jz7/u4lK3LMFdHjo+Hjz
QTYDnVWTVoKIGVxesple7j+a9r5vzmbp/rFLT86Zcvcz1hFM/cJiUtctEDyVl3zT
cokyfSfhjDxsc4WBjjDcoQPwB+RapvH1ojxnV/ycOw6eZgXeNjHL2gCDIVfH8MeR
XzdAY0lhUeE1dl/89naLawIDAQABo4IDbzCCA2swDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBQMjKfymPQ9Xmj2FUZDTZym+vkOyjAfBgNVHSMEGDAWgBQULrMXt1hWy65Q
CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y
My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn
LzCCAT0GA1UdEQSCATQwggEwghdiYWNrZG9vci5icmF6b3NsaW5rLm5ldIIOYnJh
em9zbGluay5uZXSCGWNvbmZlcmVuY2UuYnJhem9zbGluay5uZXSCE2ljYWwuYnJh
em9zbGluay5uZXSCFWphYmJlci5icmF6b3NsaW5rLm5ldIITbWFpbC5icmF6b3Ns
aW5rLm5ldIIWbWVtYmVycy5icmF6b3NsaW5rLm5ldIIRbXQuYnJhem9zbGluay5u
ZXSCEm14Mi5icmF6b3NsaW5rLm5ldIIUc3RhdHMuYnJhem9zbGluay5uZXSCF3Rv
ci1leGl0LmJyYXpvc2xpbmsubmV0ghJ2cG4uYnJhem9zbGluay5uZXSCE3dpa2ku
YnJhem9zbGluay5uZXSCEnd3dy5icmF6b3NsaW5rLm5ldDBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AHoyjFTY
ty22IOo44FIe6YQWcDIThU070ivBOlejUutSAAABhHczDLkAAAQDAEcwRQIhAIIf
GQsecM9VFArQQaUekNnBGSBpwqZ8vAi0bVvt+/hvAiBXiMdDOltk6k6iHT+aW64z
tsJW7wCdwnHP9fMQp+MOhgB2AK33vvp8/xDIi509nB4+GGq0Zyldz7EMJMqFhjTr
3IKKAAABhHczDJ8AAAQDAEcwRQIgGO8dFhtyVEAE0jTgtjkxp9Auczz6K4vEdmHz
BE3QrC0CIQCaevuaji5IGsJblIz2VTDLEh7TFMVX74yoFYsJj4uALzANBgkqhkiG
9w0BAQsFAAOCAQEAGgDRD9eZo4dFANhhAMvbT3QHNK9yW+M9Ktj/iTWK3Ie0KVZE
ncRJj2KumxWAPTOgz1BhKgaMuc3cYLbZ5t1v97Ep76iSS3pSaqPJl5nzQeK+3zES
UMItEGPJzPcaxBhLtBeUonpRmWakfuQpe8Ql8iN9kVR/IY/rnGQkciWylGtkraNG
xy7655euEbOEut4tjdGbqfAqcnMVNRt/M1afWoG8/pxYuaqfuTpsTc4tDiC8jW4h
uwMJoOaarmAadZQqp/dwHWUf7Xyo8LsM8XAcTFKEBNsG2LzCikgmeViDKrgv4vGi
QC0lV8//ltGhYszL0jFyriMlL8XpK+OciltmFw==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun  4 11:04:38 2015 GMT; NotAfter: Jun  4 11:04:38 2035 GMT
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = brazoslink.net
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5001 bytes and written 451 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: B484906DD18194EF5C47BEE5E33495CB06660DC38469AD4889D72674D1E80971
    Session-ID-ctx:
    Master-Key: 02C02DFF2995BC874E3C97E43FF98D7E5F1210FA33014B913516D3E13E6282DE6720E042E6C1AC1C2067AA7298D966CA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - cb f4 87 43 71 3c a7 95-e4 a6 25 57 ac 1c 38 e7   ...Cq<....%W..8.
    0010 - 34 d6 de 11 f7 ba 87 49-11 d9 73 1d d1 f9 aa a2   4......I..s.....
    0020 - aa d8 fc 44 5e c4 61 da-2e a6 4d d7 b1 9a 32 9f   ...D^.a...M...2.
    0030 - d9 83 2f 59 5a fc fc 35-61 9f 4f d2 50 f9 2b ce   ../YZ..5a.O.P.+.
    0040 - 24 e3 d7 f9 40 2a 8a b7-83 c9 b9 c1 f2 83 91 f5   $...@*..........
    0050 - 5a 69 96 af 71 08 8f 5d-da 69 16 79 89 81 b4 cf   Zi..q..].i.y....
    0060 - 6a 18 be 90 4a 5e 85 1f-4d 27 df d9 d0 7a 79 ae   j...J^..M'...zy.
    0070 - bc 41 66 b4 78 97 79 65-dc 28 63 91 fb 7c 7a b9   .Af.x.ye.(c..|z.
    0080 - 1c 22 4d 1e 2c 7f c6 c1-0f 88 f7 d4 72 09 60 31   ."M.,.......r.`1
    0090 - 7d 27 2b 27 c4 46 cc 0c-ae 18 2b 64 12 61 6f 7b   }'+'.F....+d.ao{
    00a0 - e9 61 02 47 ba 80 72 bc-18 46 62 ad 19 d3 09 f3   .a.G..r..Fb.....
    00b0 - 7a 1d 73 b8 0f 45 68 d8-b0 54 e1 9a a1 5d 4f 08   z.s..Eh..T...]O.

    Start Time: 1668449426
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
220 kim.kairosnet.com ESMTP Postfix

Additional info: I've been running a *.brazoslink.net wildcard cert from GoDaddy for several years without issue, and I just switched over to the LetsEncrypt cert.