New setup: No TLS certificates available (tls.no-certificates-available)

Issue Description

I’ve been using Stalwart already on another server. Now however I want to move to a new VPS, and because of this I set up a new instance. I have two issues, with this brand new instance (both probably related to certificates):

• I can only reach the /admin endpoint, not however the simple domain at /
  At the root domain I get this message only: “{“type”:“about:blank”,“status”:404,“title”:“Not Found”,“detail”:“The requested resource does not exist on this server.”}”
• TLS certificate creation is apparently not working, I have many many error messages with “No TLS certificates available (tls.no-certificates-available)”

I’m using the newest version of stalwart (downloaded / installed yesterday)

Actual Behavior

At root: “{“type”:“about:blank”,“status”:404,“title”:“Not Found”,“detail”:“The requested resource does not exist on this server.”}”

Reproduction Steps

1. New install of stalwart natively on Linux Debian 13, using installation script
2. waiting for hours (now about 1 day), several restarts of the server

Relevant Log Output

“No TLS certificates available (tls.no-certificates-available)”

Stalwart Version

v0.16.x

Installation Method

Binary (Linux)

Database Backend

RocksDB

Blob Storage

RocksDB

Search Engine

Internal

Directory Backend

Internal

I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.

on

I have searched this support forum (open and closed topics) and confirm this is not a duplicate.

on

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

Let me look up the relevant documentation on TLS certificate setup and the 404 at root.

These two issues have clear, documented answers. Here’s a breakdown:

Issue 1: Root URL / returns 404

This is expected behavior. The docs explicitly state:

There is no page mounted at the root. The WebUI lives at /admin, the per-user portal at /account, and the JMAP endpoint at /jmap.

Navigate directly to https://yourdomain/admin (or http://<host>:8080/admin while TLS is still being established).

Issue 2: tls.no-certificates-available errors

ACME certificate issuance requires a specific set of conditions to be met depending on the challenge type configured. The most common reason a fresh install fails to obtain a certificate is one of the following:

1. Port 80 not reachable (HTTP-01 challenge): The ACME server (Let’s Encrypt) must be able to reach your server on port 80 at http://<yourdomain>/.well-known/acme-challenge/<TOKEN>. If your VPS firewall or hosting provider blocks port 80 inbound, the challenge will never succeed. Verify port 80 is open.

2. DNS not pointing to the new VPS: The domain must publicly resolve to the IP of the new server. If DNS still points to the old VPS, the ACME challenge will fail.

3. Wrong challenge type configured: If port 80 is blocked, consider switching to the TlsAlpn01 challenge type (uses port 443) or Dns01 (no port required, but needs DNS automation). This is set on the AcmeProvider object in the WebUI under Settings > TLS > ACME Providers.

4. Domain’s certificateManagement not set to Automatic: In the WebUI, go to your domain’s settings and confirm certificateManagement is set to Automatic and linked to the correct ACME provider.

To diagnose further, check the ACME-related log events (acme.auth-start, acme.auth-error, etc.) in Telemetry > Logs in the WebUI - these will show exactly where the challenge is failing.

Relevant docs:

• TLS Certificates
• ACME Challenge Types
• FAQ: Why does / return 404?

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.

Interesting

1. on the root (/): on my old server it is reachable, this is where I normally log in. Out of interest: at what version did it change?
2. Thanks for the hint. Under Log entries, acme.auth I only find “ACME authentication started”. Last such log line is older than 1 day

=> how do I initiate the acme check again?

As for the points above:

1. port 80 not reachable: it is NOT blocked by the VPS firewall or hosting provider. BUT, it is true, that it isn’t normally reachable, since it appears, stalwart is not listening on port 80. This is shown by portchecker.co showing the port as blocked, but I was able to start a python http.server on port 80, and then it was available normally

2. DNS has now been pointing to the new VPS, for at least half a day → how do I make sure the acme challenge is reinitialized, rerun?

3. challenge type: I’ve tried both TLS and HTTP-01 challenge , but it appears it’s never reinitialzed

4. certificateManagement setting: I’ve checked, it’s set to “ACME TLS certificate management” (the other option is “Manual TLS certificate management”, which ic clearly the incorrect setting here)

Issue solved.

It turns out, the issue was probably, 2 days ago, that DNS resolution wasn’t working yet correctly.

Anyways, to restart the ACME initialization I had to first switch to switch to “Manual TLS certificate management” under the Domain name, then restart, and switch back again to “ACME TLS certificate management” , and now it has immediately worked with the TLS-ALPN-01 method.

In the meantime I had still an issue because I set up both ALPN01 as well as HTTP01 method - apparently the HTTP01 method didn’t work

Anyways, now at least this is solved - now the testing and detailed setup of the new mailserver can start