# Generate or renew my own SSL certificates By default, Link11 supports communication between customer backends and [Let's Encrypt](https://letsencrypt.org/). When a backend system requests a new or renewed certificate from LE, Let's Encrypt responds initially with a challenge. Because Link11 WAAP is a proxy for the backend, this challenge will be sent to L11WAAP. Under normal circumstances, L11WAAP will forward this to the customer system. If this is not occurring, something in L11WAAP's default configuration might have been changed. To correct this, perform the following two-step process. ## Step 1: Verify the necessary Global Filter 1. Confirm that there is a [Global Filter](/console-walkthrough/security/global-filters.md) named *Let's Encrypt Requests*. 2. Confirm that this Filter: 1. is in [Active mode](/console-walkthrough/security/global-filters.md#general-parameters) 2. will add a tag of `let-s-encrypt` 3. has an [Action](/console-walkthrough/security/global-filters.md#action) of `monitor (tag only)` 4. contains a single [Rule](/console-walkthrough/security/global-filters.md#rule-list) entry, with *Category* set to `URI` and *Match* set to `^/\.well-known/(acme-challenge|rbz-traffic)/[A-Za-z0-9_-]+$` 3. If any edits were performed as a result of the above, save them and [publish](/console-walkthrough/system/publish-changes.md). {% hint style="info" %} If your planet was created before May 2025, the Global Filter described above should have been added during the upgrade to v5.3.17. Therefore, it should be restorable from the Version History at the bottom of the Global Filter Editor. Alternately, the settings described above can be edited manually. {% endhint %} ## Step 2: Verify the passthrough of Let's Encrypt traffic The Global Filter described above will add a tag of `let-s-encrypt` to challenges from LE. To ensure that this traffic is passed through L11WAAP to the customer backend: 1. Ensure that this tag is in the [Ignore field](/console-walkthrough/security/content-filter/profiles.md#step-3-allowlisting) in every Content Filter Profile. During this process, if a Profile is edited, ensure that the changes are saved. 2. After all Profiles have been checked, publish the changes (if any were made). ## Troubleshooting If the process above is followed, and Let's Encrypt traffic is still being blocked by L11 WAAP, check the LE requests in the Events Log to discover the reason(s) for this. Note that the passthrough of Let's Encrypt requests does not occur until the Content Filtering stage of the [traffic filtering process](/how-link11-waap-works/traffic-filtering-process.md). This means that several stages of filtering are still performed before the passthrough can occur. If legitimate requests from Let's Encrypt are tagged with `let-s-encrypt` but are still being blocked, use the Events Log entries to determine the source of the blocking action, and then correct the security settings that are responsible for this. ## Getting assistance Feel free to [contact support](/mobile-sdk-v2.3.0/support.md) for assistance with any part of the process described above. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://waap.docs.link11.com/using-the-product/how-do-i.../generate-or-renew-my-own-ssl-certificates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.