But for $DOMAIN itself, it’s fine:
The certificate currently available on $DOMAIN is OK. It is not one of the certificates affected by the Let’s Encrypt CAA rechecking problem. Its serial number is 04ccd2295f55703fba0b7476f5beda20a6e9
Do I need to do something with the config so that it uses the right SSL cert?
At the moment, you need to use the bare domain (just example.com rather than mail.example.com) for the mail client.
Sympl only supports getting certificates for the bare domain and the www subdomain, but not the mail subdomain or any others, but that should be fixed in the next major version.
Theres a kludge to get this to work by adding an alias/symlink from mail.example.com to example.com in /srv, then forcing a new cert request with sympl-ssl --force example.com, but it’s not very elegant at present.
This kludge can cause problems with websites - suddenly mail… becomes a synonym for www… - and that opens up loads of problems and increases search engine and hacking access. I stopped doing this when I moved to Mythic - but am still getting bots trying to get into mail…
Might be better to have an email only separate domain for the mail. site. You can then symlink the mail directory over, and get the certificate. Will this work?
Maybe, but you’d probably be best off using a valid hostname for the mail clients for now - it can be any hostname for the server, as long as it has a valid SSL cert - it doesn’t have to match the mail domain.