Caddy refreshes the TLS certificate and I copy it to stalwart. stalwart-cli refreshes the certificate just like it’s documented here.
But the Stalwart UI still shows the old certificate (Settings → TLS → Certificates → my-cert).
Is this just a UI problem? How can I check if the refresh was successful?
on
Let me look into how certificate reloading works in Stalwart.
The key distinction here is how the Certificate object is configured. The ReloadTlsCertificates action tells Stalwart to re-read the certificate files from disk into memory for active TLS use. However, the metadata fields shown in the UI (notValidAfter, notValidBefore, issuer, subjectAlternativeNames) are server-set fields that are only updated when the Certificate object itself is written/updated via the JMAP API – not just when a hot-reload is triggered.
In other words:
stalwart-cli create action/ReloadTlsCertificates.notValidAfter, etc.) were parsed and stored at the time the Certificate object was last written, and a hot reload doesn’t update the stored object’s metadata.To verify the reload actually worked, you can check what certificate a client sees by connecting directly to an SMTP/IMAP/HTTPS port and inspecting the served cert with a tool like:
openssl s_client -connect mail.example.com:465 -servername mail.example.com 2>/dev/null | openssl x509 -noout -dates -subject
To also refresh what the UI shows, you can update the Certificate object (e.g., touch the certificate field via x:Certificate/set with the same file path, or re-save it through the WebUI). This forces Stalwart to re-parse the cert and update the stored metadata fields.
Reference: TLS Certificates docs and Caddy reverse proxy docs
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.
When updating external certificates, you need to delete the old one and add it again so Stalwart re-parses the SANs and new expiration dates.