BUG: ERR_CERT_AUTHORITY_INVALID upon installation

Issues
1

Issue Description

I installed stalwart on fresh ubuntu server.

Upon installation it asked me for hostname, and that it will automatically fetch a SSL for this hostname.

Now even though hostname is pointed correctly to the server, I’m getting ERR_CERT_AUTHORITY_INVALID when visiting the hostname. The certificate is rcgen self signed cert. I tried every settings and config in ACME , Certificate, etc. Nothing helpful.

It is such a bad impression to user’s that they face such issue upon installation itself.

Expected Behavior

The ssl should be installed automatically using Let’s Encrypt for hostname.

Actual Behavior

Self Signed Certificate is showing installed on hostname even after 1 days have passed.

Stalwart Version

v0.16.x

Installation Method

Binary (Linux)

Database Backend

RocksDB

Blob Storage

RocksDB

Search Engine

Internal

Directory Backend

Internal

I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.

on

I have searched this support forum (open and closed topics) and confirm this is not a duplicate.

on

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

2

The self-signed rcgen certificate you’re seeing is the fallback certificate Stalwart presents while the ACME challenge is still in progress or has silently failed. After more than a day without a valid Let’s Encrypt certificate, the ACME challenge is almost certainly failing. Here is a systematic checklist to diagnose and fix it:

1. Check which challenge type is configured

The default challenge is TLS-ALPN-01, which requires port 443 to be publicly reachable from Let’s Encrypt’s servers. If your Ubuntu server is behind a firewall, NAT, or a cloud security group that blocks inbound port 443, the challenge will always fail silently and the server will keep showing the self-signed fallback.

Go to the WebUI: Settings › TLS › ACME Providers and check the challengeType field:

  • TlsAlpn01 (default) – requires port 443 open to the internet
  • Http01 – requires port 80 open to the internet
  • Dns01 / DnsPersist01 – no public port required, but needs DNS automation

The most common cause of this issue on a fresh install is that port 443 is not reachable from the internet.

2. Verify your Domain is configured for Automatic certificate management

In the WebUI: Settings › Domains, open your domain and confirm that certificateManagement is set to the Automatic variant and has the acmeProviderId pointing to your ACME provider. If it is set to Manual, ACME will never run.

3. Check ACME event logs

Stalwart emits specific ACME events you can look for in the logs:

  • acme.auth-start – challenge started
  • acme.auth-valid – domain validated successfully
  • acme.auth-error – something went wrong

If you see acme.auth-error events, the error detail will tell you exactly what Let’s Encrypt rejected (usually a connectivity or DNS issue).

4. Test-run against Let’s Encrypt staging first

If you keep retrying against the production Let’s Encrypt directory and hitting failures, you may exhaust rate limits. In the WebUI, temporarily change the AcmeProvider directory to:

https://acme-staging-v02.api.letsencrypt.org/directory

to debug without consuming production rate-limit budget. Switch back once validated.

5. If port 443 is blocked, switch to HTTP-01

If your host can serve HTTP but not TLS directly (e.g., behind a proxy), change challengeType to Http01 – this requires port 80 to be reachable. If neither port is available, use Dns01 with a supported DNS provider.

Relevant docs:

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.

3
  1. I checked using telnet, the port 443 is reachable. Using default TlsAlpn01 type.
  2. Already checked, it’s set to automatic.
  3. I don’t see any acme logs in stalwart logs.