Mission accomplished! Even though more configuration was needed. I thought it would only work for my primary domain but I've solved my problem of making one LE certificate valid for multiple virtual hosts in /var/www/ (domains), sharing only one IP address on a dedicated server which doubles as a web server by using the Letsencrypt command like this:
- Code: Select all
# certbot certonly --webroot -w /var/www/letsencrypt/ -d example.com -d www.example.net -d example.org
But I simulated it first with:
- Code: Select all
# certbot certonly --dry-run --expand --webroot -w /var/www/letsencrypt/ -d example.com -d www.example.net -d example.org
Note that the directory which I named "letsencrypt" could have any name. But it's not quite so simple as just running a command; it was also necessary to configure apache for the "well-known acme challenge" otherwise the above commands fail. And if you've already set up letsencrypt another way, then the resulting certificate won't work with the other domains in virtual hosts; at least that was my experience.
To conclude:
1. Can Letsencrypt (LE) certificates be used for sending email? The answer is, they can for TLS - standard encryption. See, for example
Email encryption in transit for a summary.
2. Can LE certificates be used for email originating from multiple virtual hosts like: example.com, example.org, example.net with only ONE IP address? Again, the answer is yes.
When I set up an email system on a my dedicated server, I certainly had many doubts as to whether this was in fact possible, especially when emails got flagged on receipt by gmail with the garish, open red padlock

meaning no encryption, which was annoying and doesn't exactly inspire confidence when used for business. Similarly, when entering account details in Thunderbird, up came a dissuasive pop-up against using such an insecure account too.
But now, using Letsencrypt, at least emails are hailed with a small, dull grey padlock

for standard encryption when received by a gmail account while the prettier, green padlock

, is reserved for S/MIME enhanced encryption. And Thunderbird also accepts the LE Certificate OK.
I hope this post makes it clear that one LE certificate works for both a web server and an email server with multiple virtual hosts on the same machine sharing only one IP address. I too had read a lot of confusing contradictory documentation and forum posts but was fortunate to come across this howto:
lets-encrypt-postfix-and-dovecot, and also
csware's post at
github.com/diafygi/acme-tiny/issues/79 and subsequent comments.
...if one put this outside a virtualhost (e.g., in /etc/apache2/conf-enabled/le.conf on debian), it can be used as a single location for ALL virtual hosts
Quod erat demonstrandum: So I did exactly that, i.e, put the definition in /etc/apache2/conf-enabled/le.conf, ran a2enconf and indeed "it can be used as a single location for ALL virtual hosts." It worked!
Finally, I might add that the question whether to use a no-cost LE certificate or a paid one is a no-brainer; standard encryption seems good enough to me; the only other alternatives are either self-issued or
CAcert's. But it's a shame that isn't even recognised in Firefox.without the rigmarole of importing it into the browser.
Thank you for reading this
"Please accept my resignation. I don’t care to belong to any club that will have me as a member".—Groucho Marx