IMAP client unable to recognize letsencrypt certificate

I am having problems with certificates on my ispconfig 3.2.3 server (that was previously upgraded from 3.1). I want it to use a letsencrypt cert everywhere (no self-signed cert).

When I setup an IMAP email account in thunderbird (problems with outlook as well) I get an error saying to "Add security Exception" "Wrong Site" "Unknow Identity". When I view the certificate it shows it is a self-signed cert instead of my letsencrypt cert.

I searched the server for all .pem files. The only one I found with a self-signed cert was in:
/etc/ssl/private/pure-ftpd.pem
...I checked the contents of each .pem like this:
openssl x509 -in /etc/ssl/private/pure-ftpd.pem -text|more

...I found an article on letsencrypt dot org called simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 so I edited /etc/dovecot/conf.d/10-ssl.conf to point to my letsencrypt certs:
ssl_cert = </etc/letsencrypt/live/mail.mydomain.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.mydomain.com/privkey.pem

...restarted dovecot
sudo service dovecot restart

Same problem.

I'm not a ispconfig or certificate expert but I have scoured the forums and Internet but nothing seems to quite fit my situation. I'm hoping someone can help. How do I get all services on my 3.2.3 server to use my letsencrypt certificate?

my htf_report.txt below:

##### SERVER #####
IP-address (as per hostname): [localhost]
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Ubuntu 18.04.2 LTS

[INFO] uptime: 00:28:59 up 3:24, 3 users, load average: 0.08, 0.13, 0.19

[INFO] memory:
total used free shared buff/cache available
Mem: 7.8G 1.8G 4.2G 13M 1.8G 5.7G
Swap: 2.0G 0B 2.0G

[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.3


##### VERSION CHECK #####

[INFO] php (cli) version is 7.2.19-0ubuntu***.***.***.***
[INFO] php-cgi (used for cgi php in default vhost!) is version 7.2.19

##### PORT CHECK #####


##### MAIL SERVER CHECK #####


##### RUNNING SERVER PROCESSES #####

[INFO] I found the following web server(s):
Apache 2 (PID 1793)
[INFO] I found the following mail server(s):
Unknown process (smtpd) (PID 8980)
[INFO] I found the following pop3 server(s):
Dovecot (PID 17492)
[INFO] I found the following imap server(s):
Dovecot (PID 17492)
[INFO] I found the following ftp server(s):
PureFTP (PID 2045)

##### LISTENING PORTS #####
(only ()
Local (Address)
[anywhere]:993 (17492/dovecot)
[anywhere]:995 (17492/dovecot)
[localhost]:10023 (1700/postgrey)
[localhost]:10024 (2721/amavisd-new)
[localhost]:10025 (17707/master)
[localhost]:10026 (2721/amavisd-new)
[localhost]:10027 (17707/master)
[anywhere]:587 (17707/master)
[localhost]:11211 (918/memcached)
[anywhere]:110 (17492/dovecot)
[anywhere]:143 (17492/dovecot)
[anywhere]:465 (16706/smtpd)
[anywhere]:21 (2045/pure-ftpd)
***.***.***.***:53 (1008/named)
[localhost]:53 (1008/named)
***.***.***.***:53 (698/systemd-resolve)
[anywhere]:22 (1381/sshd)
[anywhere]:25 (8980/smtpd)
[localhost]:953 (1008/named)
*:*:*:*::*:993 (17492/dovecot)
*:*:*:*::*:995 (17492/dovecot)
*:*:*:*::*:10023 (1700/postgrey)
*:*:*:*::*:10024 (2721/amavisd-new)
*:*:*:*::*:10026 (2721/amavisd-new)
*:*:*:*::*:3306 (1464/mysqld)
*:*:*:*::*:587 (17707/master)
[localhost]10 (17492/dovecot)
[localhost]43 (17492/dovecot)
*:*:*:*::*:8080 (1793/apache2)
*:*:*:*::*:80 (1793/apache2)
*:*:*:*::*:465 (16706/smtpd)
*:*:*:*::*:8081 (1793/apache2)
*:*:*:*::*:21 (2045/pure-ftpd)
*:*:*:*::*:53 (1008/named)
*:*:*:*::*:22 (1381/sshd)
*:*:*:*::*:25 (8980/smtpd)
*:*:*:*::*:953 (1008/named)
*:*:*:*::*:443 (1793/apache2)

##### IPTABLES #####
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-dovecot-pop3imap tcp -- [anywhere]/0 [anywhere]/0 multiport dports 110,995,143,993
f2b-postfix tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25
f2b-pure-ftpd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 21
f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain f2b-dovecot-pop3imap (1 references)
target prot opt source destination
REJECT all -- ***.***.***.***/16 [anywhere]/0 reject-with icmp-port-unreachable
REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
REJECT all -- ***.***.***.***/16 [anywhere]/0 reject-with icmp-port-unreachable
REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
RETURN all -- [anywhere]/0 [anywhere]/0

Chain f2b-postfix (1 references)
target prot opt source destination
REJECT all -- ***.***.***.***/16 [anywhere]/0 reject-with icmp-port-unreachable
REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
REJECT all -- ***.***.***.***/16 [anywhere]/0 reject-with icmp-port-unreachable
REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
RETURN all -- [anywhere]/0 [anywhere]/0

Chain f2b-pure-ftpd (1 references)
target prot opt source destination
REJECT all -- ***.***.***.***/16 [anywhere]/0 reject-with icmp-port-unreachable
REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
REJECT all -- ***.***.***.***/16 [anywhere]/0 reject-with icmp-port-unreachable
REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
RETURN all -- [anywhere]/0 [anywhere]/0

Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- ***.***.***.***/16 [anywhere]/0 reject-with icmp-port-unreachable
REJECT all -- ***.***.***.***/16 [anywhere]/0 reject-with icmp-port-unreachable
REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
RETURN all -- [anywhere]/0 [anywhere]/0

##### LET'S ENCRYPT #####
Certbot is installed in /usr/bin/letsencrypt

 

That seems to have fixed it. Thank you Till!