[Solved] SSL cipher mismatch (handshake problem)

Hello, my server initially use Let's Encrypt for admin and web interface, and self-signed certificate for IMAPS.

I purchase a Sectigo Single Domain DV certificate, and deploy it on the server with:

zmcertmgr verifycrt comm /opt/zextras/ssl/carbonio/commercial/commercial.key /tmp/certs/mail_mydomain_com.crt /tmp/certs/mail_mydomain_com.ca-bundle

zmcertmgr deploycrt comm /tmp/certs/mail_mydomain_com.crt /tmp/certs/mail_mydomain_com.ca-bundle

Everything is well without error, but when I open my admin dashboard at https://mail.mydomain.com:6071 and the webmail interface at https://mail.mydomain.com, and check the mail with Thunderbird, everything is inaccessible.

Chrome error: "mail.mydomain.com uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH".
Firefox error: SSL_ERROR_NO_CYPHER_OVERLAP"
Thunderbird (with IMAPS) error: "Non overridable TLS error occured. Handshake error or probably the TLS version or certificate used by the server mail.mydomain.com  is incompatible"

I try to check handshake, the certificate works using IP address but not using hostname:

> openssl s_client -connect mail.mydomain.com:443 
CONNECTED(00000003)
40A7CAA7D67F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1586:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 331 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

> openssl s_client -connect 1.2.3.4:443 
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = mail.mydomain.com
verify return:1
---
Certificate chain
 0 s:CN = mail.mydomain.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 18 00:00:00 2024 GMT; NotAfter: Feb 17 23:59:59 2025 GMT
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
 3 s:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
   v:NotBefore: Jan  1 00:00:00 2004 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
(deleted)
-----END CERTIFICATE-----
subject=CN = mail.mydomain.com
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6251 bytes and written 377 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 8A9EB6F3EF869F9F38EC3B87B7F276388083CD3526802F4FE941E4523DC6942B
    Session-ID-ctx: 
    Resumption PSK: 7DB79AB4EA0F6931AA616690C38CA96E805BD182C75BEAE1E455A774A47AC49B24231D9D80CF3FA7D82356876F4EE078
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 07 69 45 e8 e0 9e b2 a1-28 62 7b dd 2a 17 d5 cf   .iE.....(b{.*...
    0010 - d8 c7 d1 81 c2 ed c4 b0-26 16 10 fb 95 79 5d 7e   ........&....y]~
    0020 - e6 19 c9 ea 1c 99 db 30-5c cc 76 4b 14 16 65 d1   .......0\.vK..e.
    0030 - 7a 05 f0 81 43 2d 60 70-0f 4f 4d 41 bf 14 22 c5   z...C-`p.OMA..".
    0040 - ca e3 7b d5 35 7a 98 f7-72 e4 4a e0 87 d5 49 1a   ..{.5z..r.J...I.
    0050 - 52 c0 23 7d f1 7a 95 34-8e 43 97 55 26 ed 7d 82   R.#}.z.4.C.U&.}.
    0060 - d2 1d 3a 68 ee f4 1a 02-09 c8 f0 3d ec bc 08 63   ..:h.......=...c
    0070 - 25 19 42 bf 92 11 0a 1a-00 34 c3 fa 69 a7 64 e7   %.B......4..i.d.
    0080 - 81 80 87 d8 4d 08 5e ec-88 86 9a 94 9c fe 85 de   ....M.^.........
    0090 - 82 aa ac 6e 73 32 ec 89-d3 ac de 33 38 de 75 93   ...ns2.....38.u.
    00a0 - 17 00 06 4c 0e 74 aa 21-51 4f 6f 78 56 36 62 fb   ...L.t.!QOoxV6b.
    00b0 - 7b 4b 30 bb 34 50 fe 87-5d 99 d4 da 15 24 57 05   {K0.4P..]....$W.
    00c0 - 01 ba 14 cb c9 31 21 73-64 75 48 e4 20 bf f1 45   .....1!sduH. ..E
    00d0 - 6d c9 a3 f0 78 38 a9 e8-ba e1 3d 17 12 28 13 c1   m...x8....=..(..

    Start Time: 1705600328
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 189274AA1DEA1C0B203B47C8EFDC0A3CB4EED8BF2B4EE5D8BD9389A97CC47B38
    Session-ID-ctx: 
    Resumption PSK: B045B63BE49617CDC98081CAB600E8C488BC83EC1B60A87AF1EAD413EA75D4250388C91116CE4E10CFFA0C36DBB2F0E2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 07 69 45 e8 e0 9e b2 a1-28 62 7b dd 2a 17 d5 cf   .iE.....(b{.*...
    0010 - 0e 1e 77 33 ab c6 b4 36-c8 9c a9 35 f3 9a 6f eb   ..w3...6...5..o.
    0020 - d0 5d d7 dd ad 07 c2 8f-cd 5a 03 df a8 0b 20 e6   .].......Z.... .
    0030 - e0 e0 4c 3b 52 f2 c1 2a-7a 18 13 79 ac 29 0c 4c   ..L;R..*z..y.).L
    0040 - fb 2b 35 14 67 1e 66 8a-9d 78 70 80 e5 0b 77 69   .+5.g.f..xp...wi
    0050 - 63 33 45 ca d3 5f d8 0b-31 c3 20 97 15 ea 85 48   c3E.._..1. ....H
    0060 - a9 a3 dd f2 b9 f8 ba db-d5 6f fa b0 5d 88 fb f2   .........o..]...
    0070 - fc c5 58 4b 07 ca 9b 50-87 3c e1 c1 4d c3 63 a8   ..XK...P.<..M.c.
    0080 - df e4 d3 fe 3c f5 20 43-0b 5b 2c ab 97 76 85 ae   ....<. C.[,..v..
    0090 - 83 de b0 2d cc 72 d8 26-52 3d 13 5a b6 4d 33 63   ...-.r.&R=.Z.M3c
    00a0 - f4 be 2a d0 ed a6 d3 e3-54 31 9b 7e c5 2a ea 59   ..*.....T1.~.*.Y
    00b0 - 05 83 4d 6a 38 ba 02 7a-e7 76 2e ce c9 ea 95 2e   ..Mj8..z.v......
    00c0 - 03 02 dd a5 06 90 1f 65-1c ff a3 4c fa ff ba 92   .......e...L....
    00d0 - c1 0f f2 c6 cf b1 24 8a-79 47 1e f5 bf 4a 95 8e   ......$.yG...J..

    Start Time: 1705600328
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

Admin console and web interface can be accessed through the IP address, even when they throw that the certificate is wrong. I find it weird that on the Virtual Host section on the Admin Console, it still listed Let's Encrypt as the certificate. Any clue on how I can fix this?

Thanks!