Generate or renew my own SSL certificates

By default, Link11 supports communication between customer backends and Let's Encrypt.

When a backend system requests a new or renewed certificate from LE, Let's Encrypt responds initially with a challenge. Because Link11 WAAP is a proxy for the backend, this challenge will be sent to L11WAAP.

Under normal circumstances, L11WAAP will forward this to the customer system. If this is not occurring, something in L11WAAP's default configuration might have been changed.

To correct this, perform the following two-step process.

Step 1: Verify the necessary Global Filter

  1. Confirm that there is a Global Filter named Let's Encrypt Requests.

  2. Confirm that this Filter:

    1. is in Active mode

    2. will add a tag of let-s-encrypt

    3. has an Action of monitor (tag only)

    4. contains a single Rule entry, with Category set to URI and Match set to ^/\.well-known/(acme-challenge|rbz-traffic)/[A-Za-z0-9_-]+$

  3. If any edits were performed as a result of the above, save them and publish.

If your planet was created before May 2025, the Global Filter described above should have been added during the upgrade to v5.3.17. Therefore, it should be restorable from the Version History at the bottom of the Global Filter Editor. Alternately, the settings described above can be edited manually.

Step 2: Verify the passthrough of Let's Encrypt traffic

The Global Filter described above will add a tag of let-s-encrypt to challenges from LE.

To ensure that this traffic is passed through L11WAAP to the customer backend:

  1. Ensure that this tag is in the Ignore field in every Content Filter Profile. During this process, if a Profile is edited, ensure that the changes are saved.

  2. After all Profiles have been checked, publish the changes (if any were made).

Troubleshooting

If the process above is followed, and Let's Encrypt traffic is still being blocked by L11 WAAP, check the LE requests in the Events Log to discover the reason(s) for this.

Note that the passthrough of Let's Encrypt requests does not occur until the Content Filtering stage of the traffic filtering process. This means that several stages of filtering are still performed before the passthrough can occur. If legitimate requests from Let's Encrypt are tagged with let-s-encrypt but are still being blocked, use the Events Log entries to determine the source of the blocking action, and then correct the security settings that are responsible for this.

Getting assistance

Feel free to contact support for assistance with any part of the process described above.

PreviousEnable mTLS (mutual TLS)NextProtect sensitive information in logs and analytics

Last updated

Was this helpful?