Create add under the zone for mydomain.com a new record for host.mydomain.com. You don’t need to add an extra Zone.
done, thanks, now admin’s web domain (host.mydomain.com) has a green checkmark in the SSL column
restarted DNS
when I go to http://my.ip.ad.dr it says Success. When I do https://my.ip.ad.dr I (still) get “Warning: Potential Security Risk Ahead”
when I go to http://webmail.mydomain.com I get a login screen. When I go to https://webmail.mydomain.com it takes me to http://webmail.mydomain.com (the opposite of forcing SSL!)
when I go to http://mail.mydomain.com I get a login screen. When I go to https://mail.mydomain.com I get “Warning: Potential Security Risk Ahead” (PS: after I accepted the risk to proceed, it did the same as for webmail.mydomain.com, it took me to http://mail.mydomain.com! maybe, after dozens of tabs open for weeks, time to re-launch web browser, just to be ‘safe’?)
the main domain’s DNS Zone(?) has an A record for mail.mydomain.com and a CNAME to it for webmail.mydomain.com
listed under the zone for mydomain.com is mail.mydomain.com (then subdomain1.mydomain.com then subdomain2.mydomain.com)
It has a CNAME for webmail.mydomain.com that points to mail.mail.mydomain.com! I was able to edit that. Then I noticed that the reocord below it, “@”, the MX record, ALSO points to mail.mail.mydomain.com!! I edited that, too. (I hope that’s correct; mail.mail.mydomain.com seems like greater nonsense than having mail.mydomain.com point to itself)
restarted bind9 (how come the Restart icon doesn’t do anything; I have to select the line and then “Apply to selected”?)
The above-described goofy web browser Roundcube login screen responses to the 4 URLs is still the same. 
How can I tell hestia to keep me logged in for longer?