Skip to main content
Troubleshooting

Unreachable endpoints

What "unreachable" means in CertShield, why it happens, and how to debug it.

An endpoint is marked unreachable when CertShield can’t open a TCP connection to it on its port (usually 443). It’s one of the more common non-green states, and it usually has a simple cause.

What CertShield actually tried

CertShield re-checks each endpoint on a schedule by opening a standard TLS connection to the hostname and port and asking the server to present its certificate. “Unreachable” means one of:

  • The TCP handshake timed out.
  • The connection was refused (something listening rejected us).
  • DNS for the hostname failed to resolve.
  • TLS negotiation never started.

It does not mean the certificate is bad. A bad certificate on a reachable server shows up as install error or expired or revoked, not unreachable.

Common causes, in order of frequency

1. The server was temporarily down during our check

Scheduled maintenance, a deploy restart, or a transient cloud provider issue. If the endpoint is fine right now, click Check Now on the endpoint detail page to force a fresh probe. It should flip back to healthy.

2. The hostname no longer points where it used to

Common when a DNS record has been changed (migrating clouds, moving to a new load balancer, sunsetting an environment) and CertShield is still pointed at the old DNS. The endpoint record in CertShield is the hostname, not a specific IP — so when DNS changes, future probes follow the new record automatically. But if the old IP is truly gone, the first few probes fail until the record stabilizes.

3. A firewall or security group is blocking the probe

If your origin servers sit behind a firewall that only allows traffic from specific IPs, CertShield’s probes may be silently dropped. If you suspect this is what’s happening, reach out via Support and we’ll help you figure out whether an allow-list change on your side is needed.

4. The endpoint only listens on a non-standard port

CertShield probes port 443 by default. If the service only listens on, say, 8443, it won’t show up as healthy on a 443 probe. This is working as designed — public web traffic targets 443. If you legitimately need to monitor an alternate port, let support know.

5. The endpoint is no longer in service

The hostname was decommissioned, the load balancer was deleted, the customer offboarded. In this case, the endpoint will stay unreachable forever unless you do something about it. Two clean options:

  • Archive the endpoint so it stops generating alerts and stops counting toward your plan limit. Its history stays. See Endpoints.
  • Delete the domain if the entire domain is gone. See Managing domains.

When auto-scanning pauses

After several consecutive unreachable probes, CertShield backs off and stops automatically re-checking the endpoint — there’s no point burning cycles on something that’s clearly gone. You’ll see a notice on the endpoint detail page explaining this. Click Check Now to force a probe and re-enable the schedule once you’ve fixed the underlying issue.

What’s next

← Back to Help Center Contact support