This has been a popular topic for my customers, I’d like to alert the ones here who are waiting on this that the guide is live:
The steps will still be more streamlined in the coming days, but for the moment I’ve tried to outline the steps very simply and provide clear expectations.
Welcome any feedback as well 
Works a charm here.
Just in time! I’ve been using a manually generated LE cert which I think has just expired. Thanks for the update! 
Currently have my email account on London server. Do you think the ip will ever change without notifying? I thought it would be better to set an A Record instead of CNAME record
The way certificates work is based upon hostname trust.
If you want a different hostname, pay for an IP, an SSL certificate, and general maintenance.
Yeah, I’m an asshat, didn’t check AutoSSL, thought I deleted the post, but I guess I didn’t.
At least you didn’t start bitching for SNI support in OTHER software that hasn’t changed much since the 90s.
Heh, I’ve got too many things going to remember it all. Let’s Encrypt, IPA CA’s and half a dozen SANs. Doing it all manual is getting to me.
Jarland has been awesome help. But we’re moving everything into IPA for LDAP and certmonger is just barely getting LE support. Can import the LE CAs and distribute them to all the nodes, but can’t quite request new certs yet. Internally I can get everyone to just import our CA but public facing nodes won’t do just yet.
The reason I want to stress that this can happen is that it’s mostly outside of my control. One DDOS on a network that can’t handle it and the IP changes as fast as I can get it done. In such a case, I won’t announce it as I won’t want to paint any more of a target on it than already is.
Everything is working just fine now. AutoSSL picked up the domains that needed certificates overnight and the instructions of “Just Wait” are spot on. Both webmail and mail function with the proper addressing in the browser title bar with green lock.
I had issues when this was first implemented last night at roughly 1AM UK time on the London node, opened a support ticket and within 30 minutes it was solved (it was a London specific issue).
Thank you good sir!
Yeah so for AutoSSL to work, everyone has to have the web hosting IP configured on the server which matches the server’s A record. Quite thankful for whmapi1 in that. One reason I suppose I can’t totally strip web features. At least now though, no one can sneak around and upload files. Paths no longer exist.
““mail.X” does not resolve to any IPv4 addresses on the internet.”
Web hosting with a cpanel web host
Email with MXroute
DNS hosting with a third party (which updates fairly instantly.)
This: “everyone has to have the web hosting IP configured on the server which matches the server’s A record” I think is the issue.
Is there a fix?
Already implement.
Sorry to have bothered you @Jarland I wrote too soon!
It is working now. (through your cpanel).
OT: my main provider is using Comodo/Cpanel but you are still using Let’s encrypt… is that a deliberate choice?
Thanks
Yeah I use LE on everything. I’m not sure how they do verification with that one or if they pay per cert (surely there’s a cost to them somewhere), but LE is what I know and the end to end process is something I already understand in full.