LetsEncrypt & CertBot


./certbot-auto certonly --webroot -w /var/www/sites/bacononbree -d bacononbree.com -d  mail.bacononbree.com -d www.bacononbree.com \
 -w /var/www/exim4u -d mail.honeybadger.net -d mymail.honeybadger.net -d webmail.honeybadger.net -d pop.honeybadger.net -d imap.honeybadger.net

The trouble is that this certificate is used by dovecot and needs to cover bacononbree as well as honeybadger.net for incoming email.  If either domain fails to authenticate (for e.g. the web server is unable to write to the letsencrypt validation directory because it has been locked down to stop Wordpress vulnerabilities), the certificate does not renew and nobody can receive secure email.