Your question
My stalwart server appears to have been issued a YE1 certificate, which is rather new and doesn’t seem to be in other mail server stores, making incoming emails bounce (I use NPM to handle outbound, and that has issued a more standard certificate, stalwart handles its certs for SMTP etc). Is there any way I can change the certificate profile within Stalwart? I have looked around a lot, and have found nothing, so my server remains almost completely out of order.
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
on
The core issue is that Stalwart’s ACME integration obtained a certificate signed by Let’s Encrypt’s YE1 intermediate, which some older mail server trust stores don’t carry yet. There are two practical workarounds:
Option 1 (recommended short-term): Switch to Manual certificate mode and upload a cert obtained externally
You can use an external ACME client (e.g. Certbot or acme.sh) to request a certificate from Let’s Encrypt and specify a preferred chain (e.g. the older ISRG Root X1 chain) that avoids YE1. Then switch the domain’s certificateManagement to Manual in the WebUI under Settings > TLS > Certificates, and paste in your PEM certificate and private key. Stalwart will present that certificate for all matching SMTP/IMAP connections.
Option 2: Point the ACME provider at a different CA
In the WebUI under Settings > TLS > ACME Providers, you can edit the directory field to point to a different ACME-compatible CA (e.g. ZeroSSL at https://acme.zerossl.com/v2/DV90) that uses a more widely-trusted intermediate. Note that directory is marked read-only in the AcmeProvider object schema, which means you may need to delete the existing provider and create a new one pointing at the alternate CA.
Manual cert upload steps:
- WebUI > Settings > TLS > Certificates > Create new Certificate
- Paste your full PEM chain (
certificate field) and private key (privateKey field)
- Go to your Domain > TLS > set
certificateManagement to Manual
Relevant docs: TLS Certificates and ACME Provider reference
Note: Stalwart’s ACME client itself does not currently expose a “preferred chain” option (like --preferred-chain in Certbot). If you need to stay with Let’s Encrypt specifically and force the older chain, the manual certificate upload path is the cleanest solution until the YE1 intermediate propagates more widely.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.
The bots solutions all seem to be workarounds. If it is correct in saying these are the only ways, does that not make it an issue with Stalwart itself?
v0.16.9 will include a new setting under the AcmeProvider object that will allow you to define a preferred certificate chain.