Certbot was struggling to auto-renew my domain SSL cert due to changes in OpenSSL 3 support for legacy protocols. Something is clearly wrong with my my openssl config but fearful of breaking the whole set up I only want to address the Certbot renewal failures.
ChatGPT gave some fixes, but the only one that actually worked was setting the CSH variable setenv CRYPTOGRAPHY_OPENSSL_NO_LEGACY 1 which stops certbot trying to use the legacy protocols that are no longer there allowed CERTBOT renew to skip thru the steps happily and now the server is ok until February by which time I truly hope to have retired the current server.