SSL Endpoint Unreachable — What It Means and How to Investigate

Updated May 2026 · SSL / TLS · 4 min read

Table of Contents

What “unreachable” means in your finding
The four common causes
How to investigate in 60 seconds
Common fixes

GuardHound flags SSL unreachable when the certificate fetch times out or the TLS handshake fails. Unreachable doesn’t mean missing — it means we couldn’t verify, so the score isn’t penalized. Here’s how to figure out why and whether visitors see the same problem.

What “unreachable” means in your finding

When the SSL fetcher can’t complete a handshake, the warning says so honestly: we don’t know if your cert is fine or broken, and we refuse to penalize the score for ambiguity. The next scan will retry and either confirm a real problem or quietly clear the warning.

Unreachable is most often a transient network blip, but it can also indicate a firewall, a hosting outage, or a serious TLS misconfiguration that breaks real visitors too.

The four common causes

Transient timeout. Your host or our scanner had a momentary network hiccup. Re-scan in 5 minutes.
Firewall / WAF blocking. Cloudflare, AWS WAF, or your origin firewall is dropping connections from unfamiliar IPs. Allow public scanning IPs or check rate-limit rules.
Server is down. The whole site is offline, not just SSL. Check uptime monitoring or open the site in a browser.
TLS misconfiguration. Cipher suite mismatch, expired root, or SNI broken. Test with openssl s_client -connect yourdomain:443 from a clean shell.

How to investigate in 60 seconds

Open the site in a private browser window. If it loads with a green padlock, the issue is transient or scanner-specific.
Run curl -vI https://yourdomain.com from an external server. Real TLS errors show up in the verbose output.
Check SSL Labs for a deep TLS configuration audit. A grade of T or F means visitors see warnings too.
Re-run the GuardHound scan. If the warning clears, it was transient and no action is needed.

Common fixes

For firewall blocks, allow your scanning provider’s IPs (or simply confirm the issue isn’t blocking real users). For TLS misconfigurations, work with your hosting provider’s docs to enable TLS 1.2/1.3 with modern ciphers. For real outages, follow your incident-response runbook.

Run a free scan to find issues like this on your domain

GuardHound checks SSL, DNS, breaches, CVEs, lookalikes, hosting reputation, and more in under 30 seconds.

Start Free Scan →

Frequently Asked Questions

Will this keep affecting my score?

No. Unreachable findings carry zero penalty. They’re visible so you can investigate, but they don’t change the headline number until we can actually verify a problem.

Why didn’t the scanner just retry?

It does, with circuit-breaker logic. If multiple consecutive scans fail, we surface the warning so you can investigate rather than silently keep retrying.

How do I know if visitors see the same problem?

Test from a clean network (mobile data, a coffee-shop wifi) using a private browser window. If it loads cleanly there, the issue is between us and your server only.