./certbot-auto certonly --webroot -w /var/www/sites/bacononbree -d bacononbree.com -d mail.bacononbree.com -d www.bacononbree.com \ -w /var/www/exim4u -d mail.honeybadger.net -d mymail.honeybadger.net -d webmail.honeybadger.net -d pop.honeybadger.net -d imap.honeybadger.net
The trouble is that this certificate is used by dovecot and needs to cover bacononbree as well as honeybadger.net for incoming email. If either domain fails to authenticate (for e.g. the web server is unable to write to the letsencrypt validation directory because it has been locked down to stop Wordpress vulnerabilities), the certificate does not renew and nobody can receive secure email.
Adding SSL to an Apache Site
Just run "sudo ~/bin/certbot-auto" and follow the prompts.