@helpbot, I have a similar setup (caddy only proxies https traffic (admin, DAV)), imaps and submission are handled directly by stalwart) and I have recently upgraded to 0.16. TLS certificate expired and after restart _disappeared_ from stalwart - they are no longer updated through ACME and I have trouble figuring out how to achieve this.
In other words, stalwart reports: 2026-06-12T08:37:42Z WARN No TLS certificates available (tls.no-certificates-available) total = 0
I have ACME provider configured with TLS-ALPN-01 but I can’t see where I can configure that Stalwart should obtain the certificate for the domain automatically? I noticed in the documentation that stalwart should be receiving TCP 443 traffic (which is not the case, since caddy terminates 443) so this might be the reason certs are not obtained? So I changed it to HTTP-01…
When I restart the server, I can see it tries to obtain the certificates from the log file:
2026-06-12T08:52:18Z INFO ACME authentication started (acme.auth-start) hostname = "mta-sts.domain.tld", type = "http-01", url = "https://acme-v02.api.letsencrypt.org/acme/new-order"
2026-06-12T08:52:18Z INFO ACME authentication started (acme.auth-start) hostname = "autoconfig.domain.tld", type = "http-01", url = "https://acme-v02.api.letsencrypt.org/acme/new-order"
2026-06-12T08:52:18Z INFO ACME authentication started (acme.auth-start) hostname = "autodiscover.domain.tld", type = "http-01", url = "https://acme-v02.api.letsencrypt.org/acme/new-order"
2026-06-12T08:52:18Z INFO ACME authentication started (acme.auth-start) hostname = "ua-auto-config.domain.tld", type = "http-01", url = "https://acme-v02.api.letsencrypt.org/acme/new-order"
2026-06-12T08:52:43Z WARN No TLS certificates available (tls.no-certificates-available) total = 0
But nothing is obtained. The reverse proxy logs shows that connection is made to http ./well-known endpoint, redirected to SSL and then requested over SSL successfully.
Related discussion: TLS certs not available - #4 by helpbot
In other words: when using HTTP-01 challenge, it seems that ./well-know is accessed successfully (but maybe caddy serves it instead of stalwart?). The end result being that stalwart does not have any certificates and uses self signed cert for mail.domain.tld.
when using TLS-ALPN-01, no request is seen in reverse proxy and still no certificate.
Not sure how this was working prior to 0.16. I am using 0.16.8 currently.