Stalwart v0.12.3 Serving Self-Signed Cert Despite Correct TLS Config & Permissions

[mynewopportunities]

Hi Stalwart Community,
I'm running into a persistent issue with Stalwart Mail Server v0.12.3 on Ubuntu 22.04 where it serves a self-signed certificate (CN = rcgen self signed cert) on TLS-enabled listeners (specifically port 465 SMTPS), despite the configuration pointing to a valid Let's Encrypt certificate.

Configuration (/opt/stalwart/etc/config.toml):
[server.listener.submissions]
bind = "[::]:465"
protocol = "smtp"
tls.implicit = true

[server.tls]
certificate = "/opt/stalwart/certs/fullchain.pem" # Also tried direct path to /etc/letsencrypt/live/...
private-key = "/opt/stalwart/certs/privkey.pem" # Also tried direct path to /etc/letsencrypt/live/...

Symptoms:
openssl s_client -connect mailserver.coreitx.us:465 -quiet shows the CN = rcgen self signed cert.
Stalwart logs repeatedly show: WARN No TLS certificates available (tls.no-certificates-available) total = 0 upon startup and periodically.
Troubleshooting Steps Taken:

1. Verified Config: Confirmed config.toml points to the correct Let's Encrypt certificate and key files.
2. Verified Key Pair: Used openssl x509 and openssl rsa with md5 to confirm the fullchain.pem and privkey.pem files match.
3. Checked Permissions:
   Confirmed directory permissions on /etc/letsencrypt/live/ and /etc/letsencrypt/archive/ allow read/execute for others.
   Confirmed specific file permissions on .pem files are world-readable.
   Used sudo -u stalwart cat <path_to_pem_file> to confirm the stalwart user can directly read both fullchain.pem and privkey.pem.
   Applied ACLs (sudo setfacl -R -m u:stalwart:rX /etc/letsencrypt/...) to explicitly grant read access.
4. Copied Certs Locally: Copied fullchain.pem and privkey.pem to /opt/stalwart/certs/, set ownership to stalwart:stalwart, updated config.toml to use these local paths, and restarted Stalwart. The issue persisted.
   Bypassed Proxy: Ensured no other service (like Nginx Proxy Manager) is conflicting on port 465; ss -tlpn confirms Stalwart is the listener.
   Despite all these steps, Stalwart continues to log No TLS certificates available and serves the self-signed certificate.
   Could this be a bug in v0.12.3, an issue with how Stalwart parses PEM files from Let's Encrypt, or is there another configuration aspect or permission I might be missing?
   Any help or pointers would be greatly appreciated!

Thanks,
Moiz Contractor

[mdecimus]

Hi, please check the documentation, you need to use a file macro if you want to load external files.

[mynewopportunities]

Thanks.