Using acme.sh to get certs, but Stalwart does not refresh "Valid From" and "Expires" in TLS -> Certificates

smicha · May 15, 2026, 8:02am

Issue Description

I use acme.sh to get my certificates, but when I get a new cert (letsencrypt) Stalwart does not show the new “Valid From” and “Expires” date in the TLS → Certificates page.
Also when I restart Stalwart, the page shows the old dates

I use stalwart 0.16.5

Expected Behavior

Normally the TLS → Certificates page should show the correct dates

Actual Behavior

I see the old dates on the Stalwart TLS->Certificates UI:

Expires
Expiration date of the certificate

Aug 12, 2026, 9:34 PM
Valid From
Issuance date of the certificate

May 14, 2026, 9:34 PM
Issuer
Certificate issuer

C=US, O=Let’s Encrypt, CN=E8

#########

A have checked with “sslscan https://mail.schleicher.li:465” and get the following output

SSL Certificate:
Signature Algorithm: ecdsa-with-SHA384
ECC Curve Name: prime256v1
ECC Key Strength: 128

Subject: schleicher.li
Altnames: DNS:.lug-bruchsal.de, DNS:.lugbruchsal.de, DNS:*.schleicher.li, DNS:lug-bruchsal.de, DNS:lugbruchsal.de, DNS:schleicher.li
Issuer: E8

Not valid before: May 15 05:54:53 2026 GMT
Not valid after: Aug 13 05:54:52 2026 GMT

The dates are different, Stalwart use the new cert but in the UI it shows the old dates

Reproduction Steps

create with acme.sh certs.
configure the certs in Stalwart-UI
renew the acme.sh certs and restart stalwart
Stalwart-UI shows still the old Cert in the UI

Stalwart Version

v0.16.x

Installation Method

Binary (Linux)

Database Backend

RocksDB

Blob Storage

RocksDB

Search Engine

Internal

Directory Backend

Internal

I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.

on

I have searched this support forum (open and closed topics) and confirm this is not a duplicate.

on

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

helpbot · May 15, 2026, 8:03am

Let me research how Stalwart handles TLS certificate loading and storage to understand this issue.

The root cause is clear. Here is what’s happening and how to fix it.

The UI displays stale metadata because the Certificate object in Stalwart’s store was never updated

When you use manual mode (i.e. you give Stalwart a file path or inline PEM for the cert), Stalwart parses the certificate at save time and caches the read-only metadata fields (notValidBefore, notValidAfter, issuer, SANs) in its database. Just replacing the file on disk – or even restarting the service – does not re-parse the file and update those cached fields. That is why:

sslscan shows the new dates (Stalwart is serving the new file correctly from disk), but
the WebUI still shows the old dates (it is displaying the stale cached metadata from the last time you saved the Certificate object).

What to do

After acme.sh renews your certificate, you need to trigger a TLS certificate reload, which re-reads the file and updates the metadata. Per the docs, this can be done without stopping the server:

From the WebUI (Settings › TLS › Certificates, then trigger the reload action), or
From the CLI:

stalwart-cli --url https://<your-host> --api-key <TOKEN> create action/ReloadTlsCertificates

You can automate this in your acme.sh --reloadcmd hook (or a cron job / systemd unit that fires after renewal) so it runs automatically every time a new cert is installed. For example, as a --reloadcmd:

stalwart-cli --url https://mail.example.com --api-key <TOKEN> create action/ReloadTlsCertificates

After the reload, the WebUI will show the correct new “Valid From” and “Expires” dates.

Relevant docs: TLS Certificates - Reloading certificates and the Caddy reverse proxy page (which shows a full systemd + CLI reload example you can adapt for acme.sh).

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.

smicha · May 15, 2026, 8:18am

I already copy the new acme.sh certs to the Stalwart machine run the following command.

root@stalwart:~# /root/.cargo/bin/stalwart-cli --url https://mail.schleicher.li --api-key “here my API KEY” create action/ReloadTlsCertificates
Created Action bvanvhq

But it does not change the TLS → Certificates dates in the WEB-UI.
Also a “systemctl restart stalwart” does not fix it.

stalwart · May 19, 2026, 3:14pm

Stalwart parses the certificate info only when the certificate is created. When rotating an external certificate, you need to delete the old certificate from Stalwart and add it again after each change. This could be automated using either the JMAP API or the CLI.

smicha · May 19, 2026, 5:46pm

Thanks for the answer.

I already run the CLI command “… server reload-certificates”.

Is it really required to re-configure (deleted and add) the new certificate or ist it Just required to Display the correct expire Date?

Topic		Replies	Views
TLS certificated reloaded via stalwart-cli but UI shows still the old cert Questions	2	30	June 6, 2026
TLS certs not available Issues	5	64	May 9, 2026
ACME with Letsencrypt not working General	2	70	June 11, 2026
I have this script, but it doesn't work with stalwart 0.16.6 - Questions	1	28	May 30, 2026
Issues getting TLS cert Issues	3	63	May 19, 2026