Agent Connectivity Issues

The Agent Connectivity Issues section addresses problems where CERTInext Bots (Discovery or Provisioning agents) fail to communicate with the CERTInext platform or cannot reach configured target systems. Since bots operate within enterprise networks and initiate outbound communication, connectivity problems directly impact discovery scans, automated issuance, and deployment workflows.

Timely resolution ensures uninterrupted certificate visibility and lifecycle automation.Common Symptoms

Connectivity issues may appear as:

• Bot status showing Inactive, Stopped, or Pending

• Last Bot Update timestamp not refreshing

• Discovery scans not running

• Provisioning tasks stuck in queue

• Renewal not triggering

• Frequent timeout or network errors in logs

Step 1: Verify Bot Status

Navigate to: Certificates → Discovery → Bots or Certificates → Provisioning → Bots

Check:

• Bot Status = Active

• Last Bot Update shows recent communication

• Bot Version is current

• Bot token has not expired

If status is inactive:

• Restart the bot service on the host

• Confirm token validity

• Re-register the bot if required

Step 2: Validate Outbound Connectivity

CERTInext bots require outbound HTTPS connectivity.

Verify from the bot host:

• Port 443 (HTTPS) is open

• DNS resolution to CERTInext API endpoint

• Proxy configuration (if applicable)

• No firewall blocks for outbound requests

Test using: curl https://<api-endpoint>/health

If proxy is required, confirm hostname, port, and authentication settings are correctly configured.

Step 3: Check System-Level Requirements

Ensure the bot host meets prerequisites:

• Supported operating system

• Administrator/root privileges

• NTP time synchronization enabled

• Minimum disk space available

• Bot service running (Windows Service / systemctl)

Time drift may cause authentication failures.

Step 4: Validate Token and Activation Window

Bots authenticate using a time-bound token.

Check:

• Activation window has not expired

• Bot token matches the one generated in CERTInext

• Token was not revoked

If expired, regenerate and reinstall the bot.

Step 5: Review Firewall and Security Controls

Ensure:

• No outbound HTTPS inspection blocking traffic

• SSL inspection devices allow API traffic

• Endpoint protection does not block bot process

• Required internal ports (SSH, WinRM, LDAP) are accessible for target systems

Blocked ports commonly cause scan and deployment failures.

Step 6: Check Target Connectivity

If bot is active but tasks fail:

Verify connectivity to:

• Target IP addresses

• Required ports (443, 8443, 22, 5985, etc.)

• Application service endpoints

• HSM or KMS endpoints (if configured)

Network segmentation or ACL misconfiguration may prevent internal access.

Step 7: Review Bot Logs

Check local logs on the bot host:

• Installation log

• Agent log

• Error log

Look for:

• Authentication errors

• Timeout exceptions

• Permission denied messages

• Proxy misconfiguration

Logs provide detailed diagnostics beyond dashboard indicators.

Step 8: Restart or Reinstall Bot

If persistent issues occur:

• Restart bot service

• Re-register using valid token

• Reinstall using automated or manual installation method

For air-gapped environments, ensure offline bundle was correctly deployed.

When to Escalate

Provide:

• Bot Name and IP address

• Last Bot Update timestamp

• Error log excerpts

• Network topology details

• Proxy or firewall configuration notes

This helps isolate network vs configuration issues quickly.

Best Practices

• Monitor bot health daily

• Use descriptive naming by environment

• Keep bot version updated

• Validate connectivity after firewall or proxy changes

• Deploy separate bots per network segment where required