Issue Description
Ubuntu 24.04.4 LTS
I blew away my 0.15.x version and then installed version 0.16. Now I’m getting a self signed cert when I try to login and the logs are telling me No TLS certificates available. I figured out how to get this working in the 0.15 version, and not sure what I’m doing wrong in the 0.16 version, but all I know is I cannot figure out how to get stalwart to use letsencrypt generated certs.
Expected Behavior
Stalwart should automatically use LetsEncrypt to generate certs
Actual Behavior
The logs are saying No TLS certificates available
Reproduction Steps
Install stalwart and configure a default domain
Relevant Log Output
Timestamp
May 8, 2026 at 7:40 PM
Level
Warning
Event
No TLS certificates available
Details
total = 0
Stalwart Version
v0.16.x
Installation Method
Binary (Linux)
Database Backend
RocksDB
Blob Storage
RocksDB
Search Engine
Internal
Directory Backend
Internal
I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.
on
I have searched this support forum (open and closed topics) and confirm this is not a duplicate.
on
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
on
The “No TLS certificates available” warning means Stalwart has no certificate assigned to serve yet. Since you’re coming from 0.15, the ACME setup needs to be recreated — it is not automatically migrated. Here’s what to do in the WebUI:
Step 1 — Create an ACME Provider
Go to Settings › TLS › ACME Providers and add a new provider. The key fields are:
| Field |
Value |
directory |
https://acme-v02.api.letsencrypt.org/directory |
challengeType |
TlsAlpn01 (default) — requires port 443 to be publicly reachable; or Http01 / Dns01 / DnsPersist01 if behind a proxy |
contact |
Your email address (e.g. [email protected]) |
Tip: Test first with the Let’s Encrypt staging URL (https://acme-staging-v02.api.letsencrypt.org/directory) to avoid rate-limit issues, then switch to production once it works.
Step 2 — Point your Domain at the ACME Provider
Go to your domain’s settings and set certificateManagement to Automatic, then set acmeProviderId to the provider you just created. This is what actually triggers certificate issuance — the ACME provider itself does not list domains; each domain opts in individually.
Step 3 — (Optional) Set a Default Certificate
If clients connecting without SNI get the self-signed cert, go to Settings › System and set defaultCertificateId to the certificate issued by your ACME provider.
Common gotcha with TLS-ALPN-01
If you’re using the default TlsAlpn01 challenge, Let’s Encrypt must be able to reach TCP port 443 on your server directly from the internet. If a reverse proxy or firewall is in front, the challenge will fail. In that case, switch to Http01 or Dns01.
Full details: ACME Configuration docs and ACME Challenge Types.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
I had the same issue, but figured out the solution. It seems Stalwart does obtain the certificates, but does not apply them. Only after I rebooted Stalwart, the certificates got loaded correctly.
Guess this is a bug currently!
Thanks for reporting that, BE3013! That’s a useful data point.
To clarify: a restart shouldn’t be necessary just to activate a freshly issued ACME certificate — Stalwart is designed to provision and load certificates automatically. However, the management REST API does expose a /api/reload/certificate endpoint that forces a certificate reload without a full restart. If you ever hit this again before rebooting, it’s worth trying that first.
That said, if ACME certificates are consistently requiring a restart to take effect after initial issuance, that does sound like it could be a bug worth reporting. If you can reproduce it, please open a bug report at github.com/stalwartlabs/mail-server with your logs from the ACME provisioning sequence — the developers will be able to confirm whether this is expected behavior or not.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
Hmmm. Even after restarting Stalwart I’m still seeing self signed certs. Curiouser and curiouser, especially since this all worked fine in 0.15.
Figured it out. Turns out that for whatever reason, the initial calls to get certs from LetsEncrypt failed and Stalwart failed the task and didn’t retry it. I manually modified it to retry the task and it completed successfully.