Here are the commands I ran on a fresh 9.2 install to get a working certificate for use with devices outside the SME's network, i.e. no having to accept a self-signed certificate.
Feedback from John Crisp, developer of the smeserver-letsencrypt contrib, was crucial. He noted that all names and domains must resolve and be reachable via Internet DNS in order for this to succeed, and he pointed out the need for ACCEPT_TERMS.
I had tried with the following:
config setprop setprop letsencrypt configure all
And it apparently ran without error, but no certificates were generated in the next steps because letsencrypt's servers couldn't reach all of www.[DOMAIN].[TLD], ftp, etc.
Here's what DID work. Items in brackets are redacted or replaced with generic names for privacy.
I should note that I was only trying to make it so that phones, tablets, and computers outside the SME's network would be able to send & receive email without having to accept/install a self-signed certificate.
*****************************************************
yum install --enablerepo=smedev smeserver-letsencrypt
signal-event post-upgrade; signal-event reboot
db hosts setprop [HOST].[DOMAIN].[TLD] letsencryptSSLcert enabled
config setprop letsencrypt ACCEPT_TERMS yes
config setprop letsencrypt email [redacted]
expand-template /etc/dehydrated/config
config setprop letsencrypt status enabled
signal-event console-save
dehydrated -c -x
*****************************************************
And now external clients can access the SME 9.2 server without accepting a self-signed certificate.
Relevant bug reports:
https://bugs.contribs.org/show_bug.cgi?id=10253https://bugs.contribs.org/show_bug.cgi?id=10274