---
checkId: check.timestamp.tsa.reachable
plugin: stellaops.doctor.timestamping
severity: fail
tags: [timestamping, tsa, availability, connectivity]
---
# TSA Availability

## What It Checks
Verifies that configured TSA (Time Stamp Authority) endpoints are reachable and responding. The check:

- Probes each endpoint from the `TsaEndpoints` configuration via HTTP HEAD requests.
- Considers HTTP 2xx and 405 (Method Not Allowed) as healthy responses (405 means the TSA is alive but only accepts POST).
- Reports the count of healthy vs. unhealthy endpoints.
- Degrades if no endpoints are configured. Fails if no endpoints are reachable. Warns if some are down.

## Why It Matters
TSA endpoints provide RFC-3161 timestamps that anchor release evidence in time. If no TSA is reachable, new evidence cannot be timestamped, blocking policy-gated releases that require verifiable timestamps. This is a critical-severity check.

## Common Causes
- TSA endpoint server is down or unreachable
- Network connectivity issues or firewall blocking HTTPS
- DNS resolution failure
- TSA provider maintenance or outage

## How to Fix

### Docker Compose
```yaml
environment:
  Timestamping__TsaEndpoints__0__Name: "FreeTSA"
  Timestamping__TsaEndpoints__0__Url: "https://freetsa.org/tsr"
  Timestamping__TsaEndpoints__1__Name: "DigiCert"
  Timestamping__TsaEndpoints__1__Url: "http://timestamp.digicert.com"
```

### Bare Metal / systemd
```json
{
  "Timestamping": {
    "TsaEndpoints": [
      { "Name": "FreeTSA", "Url": "https://freetsa.org/tsr" },
      { "Name": "DigiCert", "Url": "http://timestamp.digicert.com" }
    ]
  }
}
```

Test connectivity:
```bash
curl -I https://freetsa.org/tsr
```

### Kubernetes / Helm
```yaml
timestamping:
  tsaEndpoints:
    - name: "FreeTSA"
      url: "https://freetsa.org/tsr"
    - name: "DigiCert"
      url: "http://timestamp.digicert.com"
```

## Verification
```
stella doctor run --check check.timestamp.tsa.reachable
```

## Related Checks
- `check.timestamp.tsa.response-time` — measures TSA response latency
- `check.timestamp.tsa.valid-response` — verifies TSA returns valid RFC-3161 responses
- `check.timestamp.tsa.failover-ready` — confirms backup TSA endpoints for failover