Issue When Mail Domain SSL Renews The Cert Reverts To domain.tld

[Kaspar]

But if you do not have such a subdomain, which setup do you use? Plesk DNS? TLSA? etc etc.

Not using DANE/TLSA. DNS is managed via Plesk.

In addition, do you have issues with webmail certs not renewing / not being assigned (when other parts are renewed properly)?

Not really. I can't honestly remember the last time I had an issuing issue (that wasn't the result of a LE outage or some DNS misconfiguration on my end).

In addition, is your checkbox (secure mail) also not active when first selecting "assign cert to the mail domain"?

Yeah, the fact that (currently at least) manual interaction is required to get the mail.* subdomain included in the certificate as a SAN and get it assigned for the mail domains mail service is definitely a pity. I really wish that there was an option we (as server administrators) could enable to have this included in the issuing process by default.

I've circumvented this limitation for now by automating the initial domain certificate issuing using a custom script and the SSL it! CLI.