Quick Diagnostics

Before diving into specific issues, run these quick checks:
1

Verify DNS

dig CNAME status.mycompany.com
Should return: status.watchmantower.com
2

Check Status Badge

Look at your dashboard - what color is the status badge?
  • Green (Working) = All good ✅
  • Yellow (SSL Being Issued) = Wait 10-15 min ⏳
  • Red (Configuration Error) = Fix DNS ❌
3

Test HTTP Access

curl -I http://status.mycompany.com
Should return 200 or 301 (redirect to HTTPS)

Common Issues

Status Stuck on “SSL Being Issued”

Domain stays in SSL Being Issued status for more than 20-30 minutes without moving to Working.
Possible Causes:
Symptoms:
  • CNAME record added recently (< 10 minutes ago)
  • dig command shows no results or old data
Solution:
1

Check TTL

Look at your CNAME record’s TTL (Time To Live). If it’s high (e.g., 86400), propagation takes longer.
2

Wait for Propagation

Typical propagation: 5-30 minutes
High TTL: Up to 24 hours (rare)
3

Test from Multiple DNS Servers

# Google DNS
dig @8.8.8.8 CNAME status.mycompany.com

# Cloudflare DNS
dig @1.1.1.1 CNAME status.mycompany.com

# Your ISP
dig CNAME status.mycompany.com
If results differ, DNS is still propagating
Symptoms:
  • Using Cloudflare as DNS provider
  • CNAME record shows orange cloud icon
  • Status never progresses past SSL Being Issued
Why This Breaks: Cloudflare’s proxy intercepts traffic and uses their own SSL certificate, which conflicts with Cloudflare for SaaS custom hostname SSL.Solution:
1

Log into Cloudflare

Go to dash.cloudflare.com
2

Navigate to DNS

Select your domain → DNS → Records
3

Disable Proxy

Find your status CNAME record. Click the orange cloud icon to turn it gray (DNS only).
4

Wait 5 Minutes

Watchman Tower will detect the change and retry validation automatically
Symptoms:
  • Domain has CAA records configured
  • SSL validation fails repeatedly
  • Status cycles between SSL Being Issued and Configuration Error
Check CAA Records:
dig CAA mycompany.com
If you see CAA records that don’t include Let’s Encrypt:
mycompany.com. 3600 IN CAA 0 issue "digicert.com"
Solution: Add a CAA record allowing Let’s Encrypt:
Type: CAA
Name: @ (or mycompany.com)
Tag: issue
Value: letsencrypt.org
Or remove restrictive CAA records entirely.
Symptoms:
  • Domain behind another CDN or firewall
  • HTTP requests to /.well-known/acme-challenge/ blocked
Solution: Ensure your firewall/CDN allows HTTP requests to:
/.well-known/acme-challenge/*
This path is used by Let’s Encrypt to validate domain ownership.

Status Shows “Configuration Error”

Status badge is red with Configuration Error message.
Possible Causes:
Symptoms:
  • DNS check returns no CNAME or wrong target
  • Just added domain but haven’t configured DNS yet
Verify:
dig CNAME status.mycompany.com
Expected output:
status.mycompany.com. 3600 IN CNAME status.watchmantower.com.
If missing or wrong:
1

Check DNS Provider

Log into your DNS provider (Cloudflare, Namecheap, etc.)
2

Create CNAME Record

Type: CNAME
Name: status
Target: status.watchmantower.com
TTL: 3600 or Auto
3

Save and Wait

Wait 10-15 minutes for DNS propagation
Common mistakes:
  • status.watchmantower.co (missing “m”)
  • watchmantower.com (missing “status.”)
  • http://status.watchmantower.com (includes protocol)
  • Extra spaces or characters
Correct target:
status.watchmantower.com
No http://, no trailing slash, no extra text.
Symptoms:
  • Both A record and CNAME exist for same subdomain
  • Or multiple CNAME records
Solution: Remove all other records for your subdomain. Only one CNAME record should exist:
status.mycompany.com → status.watchmantower.com
Delete any conflicting A, AAAA, or additional CNAME records.
Symptoms:
  • status.mycompany.com already points to another service
  • Previous custom domain setup not cleaned up
Check current use:
curl -I https://status.mycompany.com
If it loads a different page, the domain is in use.Solution:
  • Choose a different subdomain, OR
  • Remove existing CNAME and any associated configurations
  • Wait for DNS to clear (up to TTL duration)

Browser Shows Privacy or SSL Error

When visiting your custom domain, browser displays:
  • “Your connection is not private”
  • “NET::ERR_CERT_COMMON_NAME_INVALID”
  • “SSL_ERROR_BAD_CERT_DOMAIN”
Possible Causes:
Symptoms:
  • Status badge shows SSL Being Issued (yellow)
  • Just configured DNS within last 10 minutes
Solution: This is normal during setup. Don’t visit the domain until status shows Working (green). SSL validation takes 1-10 minutes.Wait for the green checkmark, then reload the page.
Symptoms:
  • Status shows Working but browser still shows SSL error
  • Domain worked on another device/browser
Solution:
1

Clear Browser Cache

  • Chrome: Settings → Privacy → Clear browsing data
  • Firefox: Settings → Privacy → Clear Data
  • Safari: Develop → Empty Caches
2

Try Incognito Mode

Open an incognito/private window and test again
3

Flush SSL State (Chrome)

Visit: chrome://net-internals/#hsts
Delete domain security policies for your domain
Symptoms:
  • Manually typed http:// instead of https://
  • Auto-redirect not working yet
Solution: Always visit with HTTPS:
https://status.mycompany.com
If redirect isn’t working, wait a few more minutes for SSL deployment to complete.

Domain Works but Shows Wrong Content

Domain loads but displays incorrect page or old cached content.
Possible Causes:
Symptoms:
  • Works on one network but not another
  • Different behavior on mobile vs desktop
Solution:
1

Flush Local DNS Cache

macOS:
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
Windows:
ipconfig /flushdns
Linux:
sudo systemd-resolve --flush-caches
2

Wait for ISP Cache Expiration

ISP DNS caches typically expire after your record’s TTL (usually 1 hour)
3

Test with Public DNS

Temporarily use Google DNS (8.8.8.8) or Cloudflare DNS (1.1.1.1) to bypass ISP cache
Solution:
  • Hard refresh: Ctrl+Shift+R (Windows) or Cmd+Shift+R (Mac)
  • Clear site data in browser settings
  • Test in incognito mode
Rare, but possible:If Watchman Tower status page was cached at the edge before your custom domain was set up, you might see stale content.Solution: Wait 5-10 minutes for cache to expire, or contact support to purge edge cache.

Setup Worked, Then Stopped

Custom domain was working (green status) but now shows Configuration Error or page won’t load.
Possible Causes:
Check DNS:
dig CNAME status.mycompany.com
If CNAME is missing or points elsewhere, someone modified DNS settings.Solution: Re-create the CNAME record pointing to status.watchmantower.com
Symptoms:
  • Using Cloudflare DNS
  • CNAME now shows orange cloud (was gray)
Solution: Disable proxy (set to gray cloud/DNS only)
Check domain registration:
whois mycompany.com
Ensure domain is still registered and not expired.
Rare scenario: Automatic renewal failed due to transient issue.Solution:
1

Check Status Badge

If showing Configuration Error, check DNS
2

Verify CNAME

Ensure CNAME is still correct
3

Contact Support

If CNAME is correct but SSL won’t renew, contact support for manual renewal trigger

Advanced Troubleshooting

DNS Propagation Check

Test DNS from multiple locations worldwide: Online tools:

SSL Validation Test

Check if SSL validation endpoint is accessible: 
curl -v http://status.mycompany.com/.well-known/acme-challenge/test
Should return a response from Cloudflare (not an error).

Trace DNS Resolution

See full DNS lookup chain: 
dig +trace status.mycompany.com
This shows each step of DNS resolution from root servers to your final CNAME.

Check Cloudflare Status

Verify Cloudflare services are operational: If Cloudflare is experiencing issues, custom domain setup may be delayed.

Getting Support

If you’ve tried all troubleshooting steps and still can’t resolve the issue, we’re here to help.

What to Include When Contacting Support

Required Information:
  1. Your domain name 
    status.mycompany.com
  2. Screenshot of DNS settings
    • Show the CNAME record in your DNS provider dashboard
    • Include record type, name, and target
  3. DNS query output 
    dig CNAME status.mycompany.com
    Copy and paste the full output
  4. DNS provider name
    • E.g., “Cloudflare”, “Route 53”, “Namecheap”
  5. Current status in dashboard
    • “SSL Being Issued” or “Configuration Error”
  6. How long you’ve been waiting
    • E.g., “30 minutes”, “2 hours”
  7. Steps you’ve already tried
    • List what troubleshooting you’ve done
Optional but Helpful:
  • Output of curl -I http://status.mycompany.com
  • Screenshot of Watchman Tower dashboard showing status
  • Timezone/location (for DNS propagation diagnosis)

Expected Response Time

  • Initial response: Within 2-4 hours (business hours)
  • Resolution: Most DNS issues resolved within 24 hours
  • Urgent issues: Email with “URGENT” in subject for priority handling

Prevention Tips

Avoid future issues with these best practices:

Document DNS Changes

Keep a record of DNS modifications with dates and reasons

Set Reasonable TTL

Use TTL of 3600 (1 hour) or less for faster updates

Avoid Cloudflare Proxy

Never enable orange cloud for custom domain CNAME

Enable Notifications

Turn on email alerts for domain status changes in Watchman Tower

Test Before Announcing

Verify domain works in multiple browsers before sharing publicly

Monitor Certificate Expiry

Though auto-renewed, check dashboard monthly to ensure renewal succeeded

Quick Reference Commands

Copy-paste these for fast diagnostics: 
# Check CNAME record
dig CNAME status.mycompany.com

# Check from Google DNS
dig @8.8.8.8 CNAME status.mycompany.com

# Test HTTP access
curl -I http://status.mycompany.com

# Test HTTPS access
curl -I https://status.mycompany.com

# Full DNS trace
dig +trace status.mycompany.com

# Check domain registration
whois mycompany.com

# Check CAA records
dig CAA mycompany.com

# Flush DNS cache (macOS)
sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder

# Flush DNS cache (Windows)
ipconfig /flushdns

# Flush DNS cache (Linux)
sudo systemd-resolve --flush-caches

Next Steps

FAQ

Frequently asked questions about custom domains

Setup Guide

Return to setup instructions if starting over