The WordPress migration finished six months ago.
The old host reclaimed the subdomain. SSL error.
Astro agencies migrating clients from WordPress, Webflow, and legacy CMSes leave behind DNS records pointing to retired hosts. Those old CNAME entries generate SSL errors months after the migration closes — when the old host reassigns the subdomain to a different tenant. Headless CMS API subdomains used for content delivery carry their own independent certificates that expire outside the agency's view. Merlonix monitors every layer.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Independent DNS resolvers
- 3
- Vendors watched
- 11
Where Astro agencies get caught out
Three failure modes specific to Astro client deployments.
Astro agencies managing client migrations from legacy CMSes and integrating headless content APIs deal with DNS residue from retired hosts, CMS API subdomain SSL outside their control, and Cloudflare Pages CNAME breaks after client registrar migrations.
Migration DNS residue generates SSL errors months after launch
Old CNAME records left over from WordPress and Webflow migrations generate SSL errors when the retired host reassigns the subdomain
Astro agencies migrating clients from WordPress, Webflow, and other legacy platforms update the primary domain CNAME to point at Cloudflare Pages or Netlify. Subdomains used by the old platform — shop.clientdomain.com pointing to a WooCommerce instance, blog.clientdomain.com pointing to a WordPress multisite, or media.clientdomain.com pointing to a legacy CDN — are often left in place after migration because they appear harmless. Months later, the old hosting provider reassigns the IP or hostname behind that subdomain to a different customer. The old CNAME now resolves, but the SSL certificate on the other end belongs to a different domain entirely. The client sees an SSL error on a subdomain they have not touched since the migration. The agency has no active monitoring of the old DNS entries and no notification that the old host has reassigned the target.
Headless CMS API subdomains carry independent SSL outside agency control
Astro sites fetching content from Contentful, Sanity, and Storyblok depend on CMS API subdomains with SSL certificates the agency does not manage
Astro agencies building content-heavy client sites configure headless CMS integrations — Contentful delivery API, Sanity CDN, Storyblok image service — that the Astro site calls at build time and sometimes at runtime for live preview or incremental content. These CMS API endpoints use subdomains controlled entirely by the CMS vendor: cdn.sanity.io, cdn.contentful.com, or project-specific custom domains provisioned by the CMS for enterprise plans. Enterprise CMS plans sometimes provision project-specific subdomains with their own SSL certificates on custom CDN configurations. When a CMS vendor rotates certificates, changes CDN providers, or retires a project-specific subdomain, Astro build pipelines and runtime content fetches begin failing with SSL or DNS errors. The agency is responsible for the content delivery chain but has no monitoring on the CMS API layer.
Cloudflare Pages custom domain CNAME breaks after registrar migration
Cloudflare Pages custom domains rely on a CNAME delegation that breaks silently when clients migrate domain registrars without updating nameserver configuration
Astro agencies deploying to Cloudflare Pages configure custom domain CNAME records pointing at the Pages deployment hostname. Cloudflare provisions Universal SSL for the custom domain automatically — but only while the CNAME delegation is intact. When a client migrates their domain registrar or consolidates domains under a new DNS provider, the nameserver configuration changes. If the CNAME record is not recreated in the new DNS provider with the correct target, Cloudflare loses the delegation and the Universal SSL certificate renewal fails. The Astro site continues to load from Cloudflare's cache for existing visitors, but new visitors and certificate renewal checks fail. The break is gradual and the first hard failure — a certificate expiry — arrives weeks after the DNS delegation broke.
How it works
SSL and DNS monitoring across every domain your Astro clients have ever used.
Merlonix monitors CNAME integrity and SSL chain validity for Astro production domains, legacy migration subdomains, and Cloudflare Pages custom domain delegations — so agencies catch residue problems before retired hosts reassign them.
01
Add every subdomain — including residual records from migrations
Verify ownership with a DNS TXT record on the apex domain. Legacy subdomains left over from WordPress or Webflow migrations are added alongside production domains without additional verification. Monitoring legacy records is how you catch the reassignment problem before the client does. Under two minutes per client to get full coverage including migration residue.
02
CNAME integrity checks catch registrar migrations and reassignments
Three independent DNS resolvers check every CNAME delegation on every monitoring interval. When a Cloudflare Pages CNAME breaks after a client registrar migration, the alert fires within minutes. When an old WordPress subdomain CNAME starts resolving to a different tenant's SSL certificate, the CNAME target mismatch is detected before the client encounters the error in a browser.
03
SSL chain validation catches third-party certificate mismatches
Full SSL chain validation on every monitored domain checks not just expiry but certificate subject and chain integrity. When an old host reassigns a subdomain and presents a certificate for a different domain, the subject mismatch is caught immediately — not when a client reports a browser SSL warning. Cloudflare Pages certificate renewal failures are caught 30 days before expiry.
04
Vendor status for Cloudflare, Netlify, and Vercel
Merlonix monitors Cloudflare, Netlify, and Vercel platform status alongside client SSL and DNS. When a Cloudflare Pages deployment incident causes custom domain resolution failures across multiple Astro client portfolios, you see the vendor event before clients report individual symptoms — and before you start investigating client-specific DNS records for a platform-wide problem.
What the numbers mean for Astro agencies
Monitoring built for Astro agencies running migrations and headless CMS integrations.
Astro agencies managing client migrations from WordPress and Webflow, and integrating headless CMS content APIs, need SSL and DNS monitoring that covers not just production domains but every subdomain the client has ever pointed at a host.
< 10 min
Time from DNS change to alert — catches Cloudflare Pages CNAME breaks and old host subdomain reassignments before clients encounter SSL errors
30 days
SSL expiry warning lead time — covers Cloudflare Pages certificate renewals and any subdomain SSL independently, including legacy migration residue
11 vendors
Upstream services monitored — Cloudflare, Netlify, and Vercel included to distinguish platform incidents from client registrar-side DNS changes
200 assets
Maximum monitored domains on the Agency plan — covers production, legacy subdomains, and headless CMS custom domains across a full Astro client roster
Pricing
Flat monthly fee. Every domain and subdomain included.
No per-domain charges. No per-migration fees. Pick the tier that fits your Astro client count and add legacy subdomains without billing surprises.
Starter
For individual Astro developers managing a small client portfolio with legacy migration subdomains.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For Astro agencies running migrations and headless CMS integrations across multiple clients.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full Astro client roster including legacy migration DNS residue and headless CMS subdomains.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when a retired host reassigns your client's old subdomain before the client sees the SSL error.
Add your first Astro client domain in under two minutes. Production domains and legacy migration subdomains are covered from the same dashboard. 14-day trial, no card required.