Discovery Issues

This provides guidance for diagnosing and resolving problems related to certificate discovery in CERTInext. Discovery issues typically arise when bots are unable to scan target systems, retrieve certificate data, or report results back to the platform.

Timely resolution ensures continuous visibility into certificate inventory and prevents blind spots in lifecycle monitoring.

Common Discovery Symptoms

Discovery-related problems may present as:

• Bot status showing Stopped, Inactive, or Pending

• Zero certificates discovered after scan

• High Error Stats Count on the Discovery Dashboard

• Scan logs showing connectivity or permission failures

• Certificates missing from inventory despite being deployed

Step 1: Check Bot Status

Navigate to: Certificates → Discovery → Bots

Verify:

• Bot Status is Active

• Last Bot Update timestamp is recent

• Bot Version is up to date

If the bot is inactive:

• Restart the bot service on the host system

• Verify bot token validity

• Confirm outbound connectivity to CERTInext

Step 2: Validate Network Connectivity

Discovery bots require outbound HTTPS connectivity.

Verify:

• Port 443 is open for outbound traffic

• DNS resolution to CERTInext API endpoint

• Proxy configuration (if required)

• Firewall rules allowing scan traffic

For internal scans, confirm access to:

• Target IP addresses

• FQDNs

• Required ports (e.g., 443, 8443, 22, 5985, 389)

Step 3: Verify Scan Target Configuration

Review scan configuration:

• FQDN / IP address entries

• Port ranges

• CIDR ranges

• Remote directory paths

• SSH or RDP credentials

• Cloud provider API credentials

Incorrect IP ranges or invalid credentials often result in zero discovery results.

Step 4: Review Scan Logs

Navigate to:

Certificates → Discovery → Bots → View → Scan Logs

Check:

• Scan Start and End timestamps

• Newly Discovered Certificates count

• Error details for failed targets

If errors are present:

• Confirm target system availability

• Validate authentication credentials

• Check certificate store permissions

Step 5: Validate Permissions

Depending on scan type:

• SSH – Ensure correct username and password

• WinRM – Confirm remote management is enabled

• LDAP/AD – Verify bind account permissions

• Cloud Providers – Confirm API access keys and region configuration

• HSM – Validate slot access and PIN

Insufficient privileges may prevent certificate extraction.

Step 6: Check Endpoint Accessibility

If certificates are not detected:

• Confirm TLS is enabled on the specified port

• Validate the service is listening

• Ensure load balancers expose certificate bindings

• Confirm Kubernetes secrets contain TLS objects

Incorrect service bindings can cause discovery gaps.

Step 7: Validate Air-Gapped or Proxy Deployments

For isolated environments:

• Ensure correct offline installation bundle was used

• Confirm relay connectivity (if applicable)

• Validate proxy host and authentication configuration

Step 8: Re-run Discovery

After correcting issues:

• Click Run Scan from the Bot Actions menu

• Monitor scan logs for updated results

• Confirm new certificates appear in the Discovery Inventory

When to Escalate

Collect the following before escalating:

• Bot Name and IP Address

• Scan log excerpts

• Error messages

• Target system details

• Recent configuration changes

Providing structured information reduces resolution time.

Best Practices

• Schedule regular scans (Daily or Weekly)

• Use meaningful bot names by environment

• Monitor Error Stats Count proactively

• Validate new environments after infrastructure changes

Issue Examples

Please find the common Issue Examples related to 'Discovery' to troubleshoot:

ISSUE EXAMPLE-1 – Discovery Bot Shows “No Certificates Found”

Title

Discovery Bot Shows “No Certificates Found” Despite Known Certificates

Issue Description

• A discovery Bot runs against known web servers or domains that are actively using certificates, but the result shows zero certificates.

• The discovery Bot completes with status “Discovered”, yet the certificate inventory remains empty for those targets.

• The UI may show informational text such as “0 certificates discovered” without any explicit error.

Possible Causes

• Discovery bot/bot used is offline.

• Discovery scope is misconfigured (wrong IP range, hostname typo, wrong port, or protocol not enabled).

• Network or firewall rules block connectivity from the discovery bot to the target servers (for example, outbound 443 blocked).

• DNS resolution fails for one or more hostnames specified in the discovery target list.

Resolution / Fix

1. Confirm Discovery Status

   1. Navigate to Discovery → Bots.

   2. Locate the bot associated and verify its Status (Active/Stopped)

   3. If it is Stopped, restart the discovery bot service on the bot host and wait for the status to turn Active.

2. Validate Bot Targets and Scope

   1. In the Bot- Scan Targets details, review IP ranges, hostnames, and ports.

   2. Correct any typos (for example, example.com vs exampel.com).

   3. Ensure the ports you expect to scan (typically 443) are included.

3. Test Network Connectivity from the Bot

   1. On the bot host, test connectivity to one of the targets:

      1. ping <target-host>

      2. nslookup <target-host>

      3. telnet <target-host> 443 or equivalent TCP test.

   2. If any of these fails, work with the network team to allow outbound traffic from the bot to the targets on required ports.

4. Re-run a Small Focused Discovery Bot

   1. Create a new discovery bot targeting just 1–2 known, accessible hosts.

   2. Run the Bot and monitor until completion.

Validation / Confirmation

• The new discovery Bot completes successfully and lists the certificates.

• The certificate inventory shows the entries.

ISSUE EXAMPLE-2 – Discovery Bot Shows “Stopped” in Portal

Title

Discovery Bot Shows “Stopped” in Portal

Issue Description

• In the Discovery Dashboard→ Manage Bots page, one or more bots appear with status “Stopped”

• Discovery Bot assigned Stops, does not start.

• No new discovery data is generated for networks that rely on that bot.

Possible Causes

• Discovery Bot service is stopped.

• Authentication/registration token used by the bot has expired, been rotated, or revoked.

• Network or firewall changes now block outbound connectivity from the bot host to the CERTInext service endpoints.

• OS or infrastructure changes (restarts, patching, migration) left the Bot misconfigured or unable to start.

Resolution / Fix

1. Review Bot Details in the Portal

   1. Go to Discovery Dashboard→ Manage Bots.

   2. Select the stopped bot and note the bot name, associated host, last check‑in time, and any error messages shown.

2. Verify Bot/Bot Service on the Bot Host

   1. Log in to the server where the bot is installed.

   2. Check the status of the CERTInext discovery Bot/bot service.

   3. If the service is stopped, start it and configure it for automatic startup.

3. Validate Connectivity to CERTInext

   1. From the bot/bot host, verify outbound HTTPS to the CERTInext endpoint used by the bot.

   2. If this fails, coordinate with your network/security team to allow outbound traffic on required ports (usually 443).

4. Restart Bot and Monitor Bot Status

   1. Restart the bot/bot service once configuration and connectivity are corrected.

   2. Return to Discovery → Bots, refresh, and confirm that the bot changes to Active within a few minutes.

Validation / Confirmation

• The bot shows Active in the portal.

• New discovery assigned to this bot will have updated status from Initiated to Configured to Discovered

ISSUE EXAMPLE-3 – Discovery Bot Stuck in “Initiate or Configured” State

Title

Discovery Bot Stuck in “Initiate or Configured” State for Extended Time

Issue Description

• Discovery Bot show status “Initiate or Configured”, or similar for significantly longer than normal.

• No new certificates appear in the inventory while the Bot is stuck.

Possible Causes

• The Bot discovery scope is too large (for example, very large IP ranges or PORT ranges in a single bot/bot).

• The assigned bot host lacks sufficient CPU/RAM for the configured scan size.

• High network latency, packet loss, or intermittent firewall/IPS behavior is slowing or blocking many connection attempts.

• Misconfigured timeouts or concurrency (where configurable) cause long waits on unreachable targets.

Resolution / Fix

1. Review Bot Configuration and Scope

   1. Go to Discovery Dashboard → Bot and open the bot details.

   2. Confirm the Bot type is Discovery Dashboard and review:

      1. IP ranges, hostnames, and ports.

      2. Any filters or advanced options that may broaden the scope.

   3. Determine whether the bot is scanning a very large network segment or many targets at once.

2. Check Resource Utilization on Assigned Bot

   1. Identify which specific bot is executing from the Bot list.

   2. Log in to that bot host and check CPU, memory, and network utilization.

   3. If the host is heavily loaded, consider temporarily reducing other workloads or increasing system resources.

3. Cancel the Oversized Bot

   1. From the Bot page, cancel the stopped bot if it has been running far longer than typical for similar scopes.

   2. Document its scope so you can split it into smaller bots (as below).

4. Split Scope into Multiple Smaller Bot

   1. Create multiple discovery Bot that each handle a smaller, clearly defined subset of the original IP range or host list.

   2. Avoid mixing very remote or high-latency segments with local segments in the same bot.

5. Run a Small Test Bot First

   1. Create a test Bot with 10–20 representative target hosts.

   2. Run the Bot and measure completion time and behavior.

   3. If successful, gradually scale up with additional bots until you reach a stable pattern.

6. Download and Review Logs

   1. For the original stuck Bot, download logs if available (Audit→ Reports)

   2. Look for repeated timeout messages, connection failures, or internal errors.

   3. Adjust Bot configuration where the logs indicate systematic connectivity issues.

Validation / Confirmation

• New, smaller discovery Bot move from “Initiated” to “Configured” to “Discovered”.

• Certificates from the relevant target ranges are visible in the inventory and show the accurate discovered certificate details.

ISSUE EXAMPLE-4 – Partial Discovery: Some Hosts Found, Others Missing

Title

Discovery Only Finds Certificates on Some Hosts, Others Missing

Issue Description

• Discovery bot shows “Discovered Certificates” but only returns certificates for a subset of the expected hosts.

• Some IPs or domains that should have certificates do not appear in results.

Possible Causes

• Scan scope does not include all required IP ranges or hostnames.

• Some targets listen on non-standard ports (not included in the discovery configuration).

• Firewalls or security groups block traffic to a portion of the target range.

• DNS or routing differences cause certain hosts to be unreachable from the bot.

Resolution / Fix

1. Review Scan Target Scope vs Actual Servers

   1. Compare the bot’s IP ranges/host list with the actual list of servers expected to be scanned.

   2. Confirm no ranges or hostnames were accidentally omitted.

2. Check Port Configuration

   1. Verify which ports are configured for discovery (for example, 443 only vs 443, 8443, etc.).

   2. Add any custom ports known to be used by your applications and re-run.

3. Test Connectivity to Missing Hosts

   1. From the bot host, run tests specifically against a host that is missing from results:

      1. nslookup <host>

      2. telnet <host> <port> / equivalent.

   2. If connectivity fails, work with network team to adjust routes/firewalls.

4. Run a Focused Bot on Missing Hosts Only

   1. Create a new discovery bot that targets only the hosts or range that were missing.

   2. Run the bot and inspect whether certificates are discovered.

Validation / Confirmation

• Focused discovery bot reports certificates for the previously missing hosts.

• Inventory includes all key hosts in the relevant segment.