It seems to matter if you need the fingerprint of a cert and you get different hashes where used on different ports and you need to use SSL on both. I'm not quite sure why this is, but with 90 day certificate lifetimes I keep having to patch my fetchmail configuration until I figure out how to get it to verify the full chain of trust.
rich@mars:~$ echo | openssl s_client -connect subdomain.example.net:993 -showcerts | openssl x509 -fingerprint -noout -md5
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE
MD5 Fingerprint=D6:2F:CD:EF:D3:26:5A:B5:15:24:E5:55:1F:99:B8:B9
rich@mars:~$ echo | openssl s_client -connect subdomain.example.net:443 -showcerts | openssl x509 -fingerprint -noout -md5
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE
MD5 Fingerprint=7C:3B:53:41:55:43:F7:B6:F5:BE:C9:8F:E3:CD:BD:A1