We noticed Hardenize (https://www.hardenize.com/) isn't compatible with Let's Encrypt certificates using the recently launched tlsserver profile. See https://letsencrypt.org/docs/profiles/ for details, it mainly drops non-SNI client support. Maybe we have a contact who can get it fixed quickly.

We deployed tlsserver for our services to prepare for shortlived:

https://grapheneos.social/@GrapheneOS/114452845473608945

We didn't deploy it for SMTP because too many mail servers likely still lack SNI support. For SUPL, we did a hybrid deployment until we're ready to drop 4th/5th gen Pixel support.