

I have a single Nginx setup which is the frontend for all my web services. So I only need to deploy it there (and to its HA partner). My renewal script just scp
’s it to the secondary and does an nginx -s reload
on both.
I do generate separate certs/keys for my non-web servers, but there’s only two of those.
You could also, if you wanted, just generate one cert and distribute it and its key to everything with a script or other automation tool (Ansible is what I used to use).
I use SnappyMail. It’s a fork of Rainloop that’s actually maintained.
https://github.com/the-djmaze/snappymail
And unlike Rainloop, the Sieve filter editor actually works.