Watcher stopped finding domain after first run

[AlephArgo]

Dear Watcher development team,
I had a previous Watcher installation that stopped working, meaning it stopped finding twisted domain.
I then decided to setup the latest version of Watcher on another machine.
I performed the installation as per the documentation and started all containers.
The first dnstwist run identified some domains, but the following ones didn't.
I set the Django debug to True and I'm monitoring container logs.
I notices the dnstwist jobs start every hour, and I can see the relevant log entries:
watcher | 2025-12-24T07:00:36.926238984Z INFO 2025-12-24 08:00:36,924 | Runs dnstwist for: domain1
watcher | 2025-12-24T07:00:50.184974753Z INFO 2025-12-24 08:00:50,181 | dnstwist: Successfully processed: domain1
watcher | 2025-12-24T07:00:50.197999122Z INFO 2025-12-24 08:00:50,196 | Runs dnstwist for: domain2
watcher | 2025-12-24T07:00:57.351291250Z INFO 2025-12-24 08:00:57,349 | dnstwist: Successfully processed: domain2

I have a particular domain with a term for which both dnstwist an the CTL monitor produce a lot of entries.
Now I don't have any output about that.
The same happened on the old Watcher installation, after October 31st.
Just to make sure to do dome relevant test, in the "Corporate Keywords Monitored" I setup 3 of the words most used in domain name:
online, group, shop.
After 7 hours, no domain has been detected.

I'd like to to some troubleshooting but I cannot see errors in logs.
In the log I cannot find anything relevant to the CTL monitoring, for instance.
The only errors I've got come from feeds unavailable.

Please, advice.
Thank you
stefano

[AlephArgo]

I supposed calidog certstream was not working, so I managed to install a certstream server docker image (https://github.com/d-Rickyy-b/certstream-server-go).
After some work, I made it running, chage the .env file to point to the local certstream server and the CTL monitoring restarted working.

[ygalnezri]

Hi @AlephArgo, thanks for your detailed report and for testing a local solution !

You are right, the CTL monitoring stopped because the CertStream service was not working. Following your approach, we integrated the option to use a local CertStream server directly in Watcher using https://github.com/d-Rickyy-b/certstream-server-go.

Now, by updating the .env file with the CERT_STREAM_URL pointing to your local server, Watcher resumes monitoring. This makes it fully reliable even if the public CertStream service is down.

This improvement will be included in the upcoming Watcher 3.2.3 release, which also fixes several other bugs detected in previous versions to improve overall stability.

Thanks again for reporting this and for providing a working workaround !

Kind regards, Ygal

[ygalnezri]

Hi @AlephArgo,

Thanks a lot for your detailed report and for taking the time to investigate the behavior so thoroughly.

You correctly identified the root cause: the CTL monitoring stopped because the public CertStream service became unavailable. Since Watcher depended on that external stream, no new certificate events were received, which explains why both CTL monitoring and twisted domain discovery appeared inactive after the initial run.

This issue has now been fully resolved in the latest release v3.3.0: https://github.com/thalesgroup-cert/Watcher/releases/tag/v3.3.0

Watcher now embeds a local CertStream server based on the certstream-server-go project.

To restore full functionality, simply update your .env file so that CERT_STREAM_URL points to your local CertStream instance. Once configured, CTL monitoring and domain discovery should operate continuously as expected.

If you haven’t already, please pull the latest Docker image and follow the update procedure described in the release notes, this should resolve the behavior entirely and prevent similar issues in the future.

Also, thank you for sharing your workaround and troubleshooting steps. Contributions like yours help us strengthen Watcher’s stability across different environments.

Kind regards,
Ygal