Overview 💥
Liongard’s TLS/SSL Inspector automatically validates public-facing certificates to ensure availability, expiration awareness, and security hygiene for domains managed by your organization.
In some cases, the Inspector may fail during data collection, resulting in timeout errors, unreachable hosts, or failed certificate retrieval. These failures are typically caused by:
Host-level traffic blocklisting
Certificates bound to non-standard ports
Attempting to inspect private/internal certificates
Network or DNS misconfiguration
This guide provides detailed troubleshooting steps, key Inspector limitations, and guidance on when to contact Liongard Support.
Why TLS/SSL Inspector Failures Occur? 🤔
1️⃣ Blocklisting by Host (Most Common Cause)
Some hosting providers deploy security tooling that blocks non-browser or automated/bot traffic on port 443. Liongard’s TLS/SSL Inspector runs from the Cloud Agent, so:
If the Agent’s outbound IP is blocklisted
OR if anti-bot/anti-scan software rejects automated probes
The inspection can fail with symptoms such as:
Timeout: TLS/SSL Certificate Inspection Timed Out
Host unreachable on 443
Connection reset by peer
This condition is especially common with WAF/CDN services (Cloudflare, Sucuri, Akamai) and security-conscious hosting providers.
2️⃣ Certificates Bound to Ports Other Than 443
The Inspector assumes the TLS/SSL certificate is published on the industry-standard HTTPS port:
443
When a certificate is instead bound to a different port (e.g., 8443, 9443), the Inspector cannot reach the certificate unless the port is manually specified.
Example of a non-standard binding:
https://exampledomain.com:8443
If the Inspector is configured without the port, the inspection will fail.
3️⃣ Private/Internal TLS/SSL Certificates (Unsupported)
The TLS/SSL Inspector only supports public-facing domains.
This means:
Certificate Type | Supported? | Notes |
Public domain certificates (Let's Encrypt, DigiCert, Cloudflare, etc.) | ✅ Yes | Fully supported |
Private/internal CA certs | ❌ No | Not reachable from Cloud Agent |
Certificates tied to internal FQDNs | ❌ No | e.g., |
Troubleshooting & Resolution Steps 👨💻
1️⃣ — Confirm Public Reachability of Port 443
Run:
Test-NetConnection yourdomain.com -Port 443
Or use an external port scanner such as https://portchecker.co.
Interpretation :
Result | Meaning | Action |
TcpTestSucceeded = True | Host reachable | Proceed to Step 2 |
TcpTestSucceeded = False | Host blocked/unreachable | Host may be blocking Liongard (see Step 4) |
2️⃣ — Validate Whether the Certificate Uses a Non-Standard Port
If your service is not on 443, locate the correct port (application admin or hosting control panel).
Then update the Inspector:
Go to Inspectors → TLS/SSL
Click the three dots (⋮) next to the Inspector
Select Edit
Specify the correct port:
yourdomain.com:8443
3️⃣ — Confirm the Certificate Is Publicly Accessible
Use:
openssl s_client -connect yourdomain.com:443
If the command cannot access the certificate → it is likely internal/non-public.
Internal/private certificates cannot be inspected by Liongard.
4️⃣ — Check for Host-Level Blocklisting
If reachability tests fail or timeouts persist, the hosting provider may be blocking the Cloud Agent’s IP.
Common signs:
Inspection succeeds locally but fails in Liongard
WAF logs show bot-blocking
Error includes
"timeout","reset", or"blocked"
What to Do
Whitelist the Liongard Cloud Agent IPs on your hosting provider / CDN / WAF.
Contact Support if you require the Cloud Agent IP list or assistance validating blocklisting.
Ask hosting provider to allow automated TLS/SSL scanning.
Inspector Capabilities & Best Practices (New Enhancements) 🤩
The TLS/SSL Inspector includes powerful visibility tools beyond simple certificate retrieval.
Key Features
📅 Inspector Timeline
Track historical certificate changes (renewals, issuer changes, SAN updates).
📝 Notes
Attach remediation tasks or expiration reminders directly within Liongard.
📊 Certificate Information Panels
The Inspector provides:
Panel | Description |
Overview | High-level certificate summary |
Certificate Info | Issuer, subject, SAN, validity, serial number |
Public Key | Key length, algorithm |
Protocols | Supported TLS versions |
Extensions | Security enhancements, OCSP, key usage flags |
Prebuilt metrics detect:
Certificates expiring within 30, 15, 7 days.
Weak keys.
Deprecated TLS protocols.
Issuer changes.
🔄 Automated Daily Checks
Data is collected automatically every 24 hours.
📁 PSA & Documentation Integration
Certificate details flow into:
Troubleshooting Quick Reference 🚀
Symptom | Likely Cause | Solution |
Timeout | Host blocking traffic | Check WAF/CDN; whitelist Cloud Agent |
"Connection Refused" | Wrong port | Add correct port in Inspector |
No certificate returned | Private/internal cert | TLS/SSL Inspector not supported internally |
Works locally but not in Liongard | Cloud Agent IP blocklisted | Contact hosting provider / Liongard Support |
Certificate mismatch | Reverse proxy misrouting | Validate DNS & proxy forwarding |
When to Contact Liongard Support 🦁
Contact Support if:
You suspect Cloud Agent blocklisting
The certificate resolves externally but not in Liongard
You need Cloud Agent outbound IP list
The Inspector fails despite correct port and public visibility
HTTPS configuration is unclear or involves multi-level proxies/CDNs
Recommended Details to Include:
Required | Why |
Domain being inspected | Confirms target |
Full Inspector error | Helps isolate cause |
Port reachability test results | Identifies firewall issues |
Hosting provider/CDN type | Helps identify bot-blocking |
Example screenshot | Speeds troubleshooting |
Disclaimers ‼️
Private/internal TLS/SSL certificates remain unsupported.
Cloud Agent IPs may be blocked by some providers; Liongard cannot override hosting policies.
TLS/SSL Inspector is designed for public domain inspection only.
This article will be updated as Liongard releases additional improvements or scanning methods.
Liongard documentation may reference external vendor sites and third-party resources. These links are provided for convenience. Liongard does not control or guarantee the accuracy, availability, or security of external sites. Use third-party tools and documentation at your discretion.