I also started writing a forum post, but then changed it to issue, so here it is anyway:
I believe this to be a bug in 0.16.8 (that is what I’m using).
Stalwart will not retrieve certificate for mail.domain.com automatically (that’s the hostname used) even though I have configured ACME (Let’s Encrypt) provider with HTTP-01 challenge, which should work, as Caddy is redirecting http requests to ./well-known to https and Let’s Encrypt is requesting them.
My DNS records had just MX records for domain.com and A records for mail.domain.com. I noticed that acme client was requesting certificate for the default SANs as well and I assume the request failed because the alternate SANs (mta-sts, autodiscover, autoconfig) did not exist.
I then create autodiscover and autoconfig CNAMEs in DNS and added those two to SANS under the domain configuration domain.com. Now Stalwart requested the certificate only for autoconfig.domain.com with subject alternate names autoconfig.domain.com and autodiscover.domain.com. So no certificate for mail.domain.com. Why?
The process of re-requesting certificates is quite convoluted: switch to manual, save, switch to automatic, fill in the details, save. Restarting the container does not help.
So, I [found out later]( Refresh certificates manually ) on I can go to Tasks and issue AcmeRenewal for a domain through the gui or through CLI
The log contains a warning: 2026-06-12T14:02:01Z WARN Multiple TLS certificates available (tls.multiple-certificates-available) total = 2
I then added mail to the SANs on the domain and issued renewal and got all three.
I then added production ACME provider and changed domain configuration to use the production provider. Triggered AcmeRenewal task. Done 
.
Questions:
Whis does Stalwart log a warning that multiple certificates exist?
Why does it not request certificate for the mail.domain.com automatically (without autodiscover and autoconfig gymnastics)? Is it expected that those CNAMEs are present for every installation?
I believe documentation should be at least updated to list the requirements (unless I’ve misread it). I also believe that server certificate should be requested and there should be a way to manage that (not only through the domain TLS settings).