To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
Which is correct, because the domain mail.mydomain.nl is no webserver, but a mail server. A mail server has a MX record and No DNS A record.
So, now I am lost. The point of getting a certificate only, is to use the certificate elsewhere, isn’t it. Is it posible to get a mail cdrtificate at all? I am a little bit confused.
To obtain a certificate you either need to use a webserver (in which case mail.mydomain.nl needs to respond on port 80 - using your current webserver, or stopping it and using the built in webserver in the letsencrypt client ) or using the DNS challenge ( whereby the challenge token is presented by DNS rather than http. The current official client doesn’t support the DNS challenge yet, but the alternative clients do.
Not quite. You should have mydomain.nl IN MX 10 mail.mydomain.nl, i.e., the MX record for your "main" domain points to the A record of mail.mydomain.nl. And mail.mydomain.nl probably resolves to the same IP as www.mydomain.nl.
The question is: how's your webserver configured? What kind of VirtualHosts does it have? What happenes when you point to mail.mydomain.nl in your browser? Do you get the same website as www.mydomain.nl? Or some kind of error?
I created a certificate for my (postfix/dovecot) mail server using certonly and webroot authentication. However the same domains I use for mail also direct to my webserver.
However if you don’t have such a setup, you’ll have to use DNS or standalone mode to create the certs. But standalone requires you shutdown any running webserver to authenticate and the official client doesn’t yet support DNS!
I’d take a look at NeilPang’s acme.sh client and see if DNS authentication works for you.
So we have two options. Option 1: make a virtual server for mail.mydomain.nl and keep it running for the renewal of the certificate. Or make use of the built in webserver. But what happens with renewal of the certificate in this case?
You could also make the mail.mydomain.nl virtualhost a reverse proxy to localhost on another port. Although Boulder will always try to connect to port 80 or 443 (depending on the challenge type), you can instruct the client in standalone mode to listen on another port. That way you don’t have to serve a complete page/site on mail.mydomain.nl (although you’d need to generate a virtualhost section) and renewal would work.
You would need to do the same as at creation. Shut down the main server, and use the standalone version for renewal. Hence personally I'd either use the first method ( a virtual sever for mail.mydomain.nl -- purely used for the .well-known/acme-challenge/token ) which can then make everything automated ( as can the DNS challenge method).