Letsencrypt ACME renewal process help

[mailcowboy]

First of all, let me start by saying how pleased I am with Stalwart Mail Server. It has been working flawlessly.

The only help I need from more expert users is with the correct settings for Letsencrypt renewal. My cert didn't renew on 12/06/2025. I had to delete and recreate the acme let's encrypt with these settings.

1. TLS-ALPN-01 Challenge and I was able to get a certificate. I have port 443 open and listening via Stalwart (I had to stop and start Stalwart service to get https://).
2. Do I need to open port 80? I don't have HTTP-01 selected so I should not have to open port 80. I have port 80 closed right now via Stalwart Mail Listener settings.
3. Should I open port 80 in http via Stalwart listener?
4. Should I select HTTP-01 instead of TLS-ALPN-01 and open port 80?
5. Do I need to stop and restart Stalwart service when the cert renews?

I ran ss -tuln in and only have these ports open in Stalwart for security since I don't need the POP and other services. I also closed 8080 per the recommendations, only for initial setup.

https [::]:443
imaptls [::]:993
smtp [::]:25
submissions [::]:465

I am a bit confused about the whole process of renewing my Letsencrypt cert via Stalwart Mail.

Any guidance is welcomed. Thanks!

[ngocnha]

The issue seems to come from a misunderstanding of how each ACME challenge method works.
Each challenge requires a specific port, and the ACME server will only use that port during validation:

1. TLS-ALPN-01

• Validation happens exclusively on port 443 using ALPN.
• Port 80 is not required.
• Only works for specific domains (e.g., example.com, mail.example.com).
• Cannot be used to validate or renew wildcard certificates (e.g., *.example.com).
• Make sure port 443 is reachable from the internet and that Stalwart is listening on this port.

2. HTTP-01

• Validation happens only on port 80 via plain HTTP.
• Port 443 is not used for this method.
• Also only works for specific domains, not wildcard domains.
• Ensure port 80 is open publicly and routed to Stalwart (or the HTTP server serving the challenge).

3. DNS-01 (for wildcard domains)

• This is the only challenge type that supports wildcard certificates such as *.example.com.
• Requires adding a specific TXT DNS record for each validation.
• Does not rely on port 80 or 443 at all.
• Must use DNS provider integration or manual DNS updates to complete the challenge.

Key point

Whichever challenge you choose, you must ensure:

• The required port (80 or 443) is open and reachable for HTTP-01 or TLS-ALPN-01, or
• DNS TXT records are correctly created (for DNS-01).

Using the wrong challenge type for your domain (especially wildcard domains) will cause the validation to fail.

[mailcowboy]

Thank you @ngocnha for replying to my post and for the great explanation.

I will leave it as is. I do have port 443 opened since I am able to login to the portal with https://mail.xxx.com/ In 70 days, I check see if it renewed since I have the renewal date default at 30 days before. I will also check the logs. I have been using Stalwart for a year and this is the first time that it didn't renew. I have the latest version installed and updated. [0.14.1] - 2025-10-28. Android Thunderbird would not sync and gave me a message about my ssl and that is how I knew it did not review. Maybe I had to stop and start the Stalwart mail service, but I did not have to do this in the past. Either way, I will monitor it.

my settings:

ACME provider
directory id: letsencrypt
contact: [email protected]
renew before: 30 days
default provider: yes
directory url: https://acme-v02.api.letsencrypt.org/directory
challenge type: TLS-ALPN-01
subject name: mail.xx.com

ports settings in config.toml

server.listener.https.bind = "[::]:443"
server.listener.https.protocol = "http"
server.listener.https.tls.implicit = true
server.listener.imaptls.bind = "[::]:993"
server.listener.imaptls.protocol = "imap"
server.listener.imaptls.proxy.override = false
server.listener.imaptls.socket.override = false
server.listener.imaptls.tls.implicit = true
server.listener.imaptls.tls.override = false
server.listener.smtp.bind = "[::]:25"
server.listener.smtp.protocol = "smtp"
server.listener.submissions.bind = "[::]:465"
server.listener.submissions.protocol = "smtp"
server.listener.submissions.tls.implicit = true