Merlonix vs Alertmanager for Agencies: Infrastructure Alerting vs. Client SSL Portfolio Monitoring

Alertmanager is the alerting component of the Prometheus monitoring stack. It receives alerts from Prometheus, handles deduplication and grouping, and routes notifications to receivers like Slack, PagerDuty, or email. It is a well-designed tool for infrastructure and application monitoring teams running their own Prometheus deployments.

It is not an SSL monitoring tool.

This post is written for agencies who have evaluated or are currently using the Prometheus + Alertmanager stack for client SSL and DNS monitoring — or who are considering it because they already run Prometheus for infrastructure monitoring. The fit problems are consistent and worth understanding before investing in the setup.

What Alertmanager Is

Alertmanager does not collect metrics. It receives firing alerts from Prometheus and routes them to notification channels. The alert collection — checking whether SSL certificates are valid and expiring — is done by Prometheus using the blackbox_exporter, which is a separate component that probes HTTP/HTTPS endpoints, TCP connections, DNS queries, and ICMP.

To use Prometheus + Alertmanager for SSL monitoring, you need:

Prometheus (metrics collection)
blackbox_exporter (the probe that makes HTTPS connections and checks SSL expiry)
Prometheus alerting rules (configured to fire when probe_ssl_earliest_cert_expiry is within 30 days)
Alertmanager (routing the fired alerts to Slack, email, or PagerDuty)

This is a complete monitoring stack that requires setup, configuration, and ongoing maintenance. None of these components are purpose-built for SSL monitoring — SSL certificate checking is one of many things blackbox_exporter can do.

Fit Problems for Agency SSL Monitoring

No Native CNAME Integrity Monitoring

The Prometheus blackbox_exporter checks whether an HTTPS endpoint returns a valid response and validates the SSL certificate. It does not check whether the DNS CNAME record for a domain points at the expected hostname.

CNAME integrity is critical for agencies because the most common SSL failure mode in agency deployments is not certificate expiry — it is Let's Encrypt renewal failure caused by CNAME changes. When a client migrates DNS to a new provider and the new zone is missing the CNAME that the hosting platform uses to validate domain ownership for renewal, the existing certificate continues to serve until it expires 90 days later. The CNAME problem is not detectable from an HTTPS probe — the probe returns 200 and the certificate shows as valid until the day it expires.

Building CNAME integrity monitoring on top of Prometheus requires custom exporters or scripted checks outside the standard blackbox_exporter probe set. It is not a configuration option — it requires custom code.

No Per-Client Account Isolation

Prometheus + Alertmanager is built for single-organization monitoring. All metrics, alert rules, and routing configurations are in one namespace. For agencies managing 20 to 100 clients, this creates two problems.

First, there is no per-client access control. A client cannot log in and see only their own domain monitoring status — the agency would need to build that layer on top. Second, alert routing is global: alert rules and receiver configurations are shared across all clients in the Prometheus configuration. Managing per-client notification preferences, per-client escalation paths, and per-client alert thresholds requires increasingly complex Prometheus alert rule label schemas and Alertmanager routing trees.

Agencies with large client portfolios frequently report that the Prometheus alert rule configuration becomes difficult to maintain as the client list grows — particularly when clients have different notification preferences or when an agency needs to add or remove a client's domains without affecting other clients.

Infrastructure Setup and Maintenance Overhead

The Prometheus + Alertmanager stack requires infrastructure: a Prometheus server, a blackbox_exporter deployment, an Alertmanager instance, and typically a Grafana dashboard. All of these need to run reliably. If the monitoring infrastructure itself goes down — the Prometheus server crashes, the blackbox_exporter host has a disk issue, the Alertmanager VM is rebooted — SSL monitoring stops.

For agencies offering SSL monitoring as part of a client retainer, the reliability of the monitoring infrastructure is the product. A monitoring stack that requires self-management introduces an ongoing maintenance responsibility that is separate from client work. Monitoring the monitoring infrastructure becomes its own operational task.

Certificate Expiry Alerting Requires Manual Rule Configuration

The Prometheus blackbox_exporter exposes a metric probe_ssl_earliest_cert_expiry as a Unix timestamp. To generate alerts at 30, 14, and 7 days before expiry, an agency needs to write Prometheus alerting rules against that metric. The rules need to be written correctly (the timestamp math is easy to get wrong), maintained across Prometheus upgrades, and updated when the alert lead time preference changes.

This is not a significant burden for a DevOps team fluent in PromQL — but for an agency whose core expertise is client websites rather than infrastructure monitoring, it is overhead that does not directly serve clients.

Where Alertmanager Fits Well

Alertmanager is a strong choice for DevOps and platform teams running Prometheus who want to add SSL certificate checks alongside existing infrastructure and application monitoring. If an agency already runs Prometheus for internal infrastructure monitoring, adding blackbox_exporter SSL probes to that existing stack is a reasonable addition.

The fit breaks down specifically for agencies using the stack as the primary monitoring layer for client SSL and DNS portfolios — where per-client isolation, CNAME integrity monitoring, and minimal setup overhead are the core requirements.

How Merlonix Compares

Merlonix is purpose-built for agency SSL and DNS monitoring. Adding a new client domain takes under two minutes and requires no infrastructure setup. CNAME integrity monitoring is included on every monitoring interval — three independent DNS resolvers check whether each domain's CNAME points at the expected hostname. When a client changes DNS providers and the CNAME breaks, the alert fires within the next monitoring interval rather than when the certificate expires 90 days later.

Per-client account isolation is included in the Agency plan. Client-facing status access, per-client notification routing, and the ability to add or remove client domains without affecting other clients are standard features.

For agencies already running Prometheus for internal infrastructure monitoring and looking for a purpose-built layer for client SSL portfolio monitoring, the two tools complement rather than replace each other: Prometheus handles infrastructure, Merlonix handles client SSL and DNS.