Your question
Stalwart 0.16.5 Docker
Hello,
currently every 30 seconds the following is logged:
2026-05-14T20:00:14Z WARN Multiple TLS certificates available (tls.multiple-certificates-available) total = 5
2026-05-14T20:00:44Z WARN Multiple TLS certificates available (tls.multiple-certificates-available) total = 5
Certificates are correctly setup and working, logging this as a WARN seems like something that needs to be addressed, but I am. not sure what the warning is trying to tell me how to remove the warning?
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
on
Let me look into this warning message in the source code.
Here is what is happening and how to resolve it.
The warning fires when a connecting client does not send a TLS SNI (Server Name Indication) value in its ClientHello, and Stalwart has more than one certificate loaded. Looking at the source code in crates/common/src/network/tls.rs, the logic is:
- Try to match the client’s SNI hostname against the stored certificates.
- If no SNI was sent (or no match was found even after a wildcard attempt), fall back to the default certificate.
- If there is no
defaultCertificateId configured and there are multiple certificates available, Stalwart cannot know which one to pick – so it logs WARN: Multiple TLS certificates available (total = 5) and just returns the first one it finds.
The fix: Set defaultCertificateId on the SystemSettings singleton to point at whichever of your 5 certificates should be served to clients that do not send SNI. You can do this in the WebUI under Settings › Network › General (the SystemSettings object). Once a default is configured, the fallback path will always resolve to that specific certificate without ambiguity, and the warning will stop.
As the docs explain:
For clients that do not send an SNI value, the server falls back to a single default certificate. This default is selected globally by defaultCertificateId on the SystemSettings singleton, which points at one of the configured Certificate records.
Reference: TLS Certificates documentation
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
Ha, indeed the bot is correct, I did not select a default certificate 