Months later after writing this (my blog) The monkeys houses web email stopped working i eventually reckoned wrongly as it turns out that the postfix tls was bad so if I was to fix it i could also need the reissue sha1 to sha256 for everything else. After all its better and in rating things its preferred.
The upgrade was not too bad once i had the right place to find the option and with some clicks down came the cert.
Quays (my blog) gave me no bonus points for the web server better protocol but then i am chill with a-. However despite sha256 i still get the yellow triangle of doom in google chrome which i assume is down to the appended sha256 and the original sha1 signatures still being in place. hpkp (my blog) does not need altering the has remains the same
Cannot win it seems. I suppose i wait for google-chrome to prefer sha256 over sha1, or cancel the certificate and do it sha256 only. Too much bother. Chromium the open source version can handle it. – go figure
The mail issue was tracked down to an unrelated security setting but in apache instead, but that is a tale for another day.