Thanks for the reply.
I understand now. The signed cert is installed for just a single hostname. In this case: box..
The remaining hostnames are working on roundcube and Android K-9. These clients for these hostnames complain but dutifully import or use the signed SSL cert. The self-signed cert would not import for any reason so I’m better off with the signed cert. Sorry about all the noise.