OK, it's fixed. It was clear this morning, after a few hours of sleep, after returning back from the experimental self-signed configuration to paid cert, and finding my cert expired once again, that I simply MUST have inadvertently pointed "config setprop modSSL key..." to the wrong key file, which still MUST exist.
It turned out that I had done exactly that: this time around, following the instructions in the link below, I had used different filenames than the previous ones; then I had inadvertently permitted command line completion from my history (it must have been a script that wrote the commands into history last time: I surely didn't) to select the old file.
So the method, per "
https://wiki.koozali.org/Certificates_Concepts", worked when correctly executed, of course:
After moving the crt, key and ca-bundle files to the proposed locations at /home/e-smith/ssl.crt, ....ssl.key and .../ssl.CertificateChainFile respectively,
config setprop modSSL crt /home/e-smith/ssl.crt/imported_{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/imported_{domain}.key
config setprop modSSL CertificateChainFile /home/e-smith/ssl.chainfile/imported_{domain}.crt
signal-event ssl-update
"/etc/dovecot/ssl/imapd.pem" was created automagically, as was /etc/openldap/ssl/slapd.pem.
And yes, of course the "ca-bundle" file from Sectigo worked perfectly well.
I will finish by saying that the "Manage SSL Certificates" add-in steadfastly refused to work for me, and even now continues to show the self-cert key, private key and chain files. Maybe between now and next year I'll see if I can find the author's write-up, and see how it's supposed to work... I thought I'd used it successfully last year, perhaps not.
Thanks for the help, guys.