Troubleshoot CSE

Last updated on Jun 23, 2026

This guide helps you troubleshoot issues when Client-Side Encryption (CSE) isn’t working.

Check the KACLS service status

The KACLS service is available over HTTPS and requires a valid TLS certificate. Every device on your network should be able to reach the endpoint.

Use the curl command to check the service status:

curl https://kacls.meineInstanz-123456789.stackit.run/status

{"server_type":"KACLS","vendor_id":"STACKIT","version":"0.1.0","name":"stackit-kacls","operations_supported":["wrap","unwrap"]}

If the service doesn’t respond, check the following:

Firewall rules that block traffic
IP blocklists
Proxies or TLS inspection tools (for example Zscaler, Fortinet, Cisco)

Troubleshooting steps

Verify that ports 443 and 80 are open for traffic on your device.
Check that the Let’s Encrypt root certificate ISRG Root X1 is in your device’s trust store. This is especially important on Windows.
Verify that the Let’s Encrypt CRL URL is reachable:
- Windows (PowerShell): Run Test-NetConnection -ComputerName r13.c.lencr.org -Port 80
- Linux (Terminal): Run curl -I http://r13.c.lencr.org/ Look for an HTTP 200 status in the output.
- Browser: Open r13.c.lencr.org in your browser. An HTTP 404 status is expected. Look for a page that mentions “Let’s Encrypt CRL(s)”.

Example output for a successful connection test on Windows:

Test-NetConnection -ComputerName r13.c.lencr.org -Port 80

ComputerName     : r13.c.lencr.org
RemoteAddress    : 104.18.21.213
RemotePort       : 80
InterfaceAlias   : Ethernet 2
SourceAddress    : 10.0.20.39
TcpTestSucceeded : True

If the issue persists, contact STACKIT.