LE-certificates can be created through the certbot-program which works very well.
As i use TLSA for DANE i have to buil a separate private key which is used to create a csr und then to create a new certificate. I think certbot always creates an new private key an a new certificate which is fatal for use with 3 1 1 TLSA.
This tutorial shows how i used it within another mailserver:
Let’s Encrypt Zertifikate mit Public Key Pinning und DANE
I know that some scripts have to be rewritten but can i use this tutorial within mailcow dockerized?