BigCommerce SSL goes through Fastly CDN.
When a client changes DNS away from the Fastly CNAME target, the certificate breaks and BigCommerce cannot renew it.
BigCommerce agencies managing custom domains deal with Fastly CDN SSL that breaks silently when clients change their DNS registrar or add a Cloudflare proxy. Multi-Storefront maps multiple brand domains from one account — each with independent SSL. Headless Catalyst deployments on Vercel or Netlify add a second SSL layer outside the BigCommerce platform that expires on a separate schedule. Merlonix monitors SSL and DNS across the full BigCommerce stack.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Independent DNS resolvers
- 3
- Vendors watched
- 11
Where BigCommerce agencies get caught out
Three failure modes specific to BigCommerce agencies managing custom domains, Multi-Storefront, and headless deployments.
BigCommerce agencies deal with Fastly CDN SSL that breaks silently after client DNS changes, Multi-Storefront brand domain SSL that expires independently across each mapped storefront, and headless Catalyst deployment SSL that carries a separate certificate outside the BigCommerce platform with no native monitoring.
BigCommerce custom domain SSL goes through Fastly CDN — when a client changes DNS registrar or adds a Cloudflare proxy, the Fastly CNAME path breaks and BigCommerce cannot renew the certificate
BigCommerce provisions and renews SSL certificates through Fastly CDN for all stores on custom domains. Renewal requires that the domain's DNS CNAME record still resolves to Fastly's edge network. When a client moves their domain to a new registrar and the DNS zone is rebuilt without the Fastly CNAME, or when a client enables Cloudflare's orange-cloud proxy mode, the SSL renewal path breaks
BigCommerce stores on custom domains use a CNAME record pointing to BigCommerce's Fastly CDN endpoint. BigCommerce manages the SSL certificate through Fastly and renews it automatically as long as that CNAME delegation stays intact. When a client moves their domain to a new registrar and the DNS zone is rebuilt without the Fastly CNAME, or when a client enables Cloudflare's orange-cloud proxy which terminates TLS before the request reaches Fastly, the SSL renewal path breaks. BigCommerce marks SSL provisioning as failed, but the existing certificate continues serving until it expires. The agency discovers the failure when the BigCommerce dashboard shows an SSL error or when the client reports a storefront security warning — which may be weeks after the DNS change that caused the failure.
BigCommerce Multi-Storefront maps multiple brand domains to a single account — each domain requires independent SSL provisioning and expires on a separate schedule
BigCommerce Multi-Storefront allows agencies to run multiple storefronts for a client from a single account, with each storefront mapped to its own custom domain. Each mapped domain requires independent SSL provisioning through the BigCommerce dashboard, and each certificate expires on its own renewal cycle
A BigCommerce agency building a B2B and a D2C storefront for a manufacturer client — trade.clientbrand.com for wholesale buyers and shop.clientbrand.com for retail — manages two independent SSL certificates from the same BigCommerce account. The trade storefront SSL was provisioned first and has a different expiry date than the retail storefront. If the B2B storefront receives less traffic and the agency's monitoring only covers the primary D2C store, the trade.clientbrand.com certificate expires without any proactive alert. When wholesale buyers report that the login page shows an SSL error, the agency must identify which storefront, which domain, and which certificate — instead of receiving an automated alert 30 days before the expiry date.
BigCommerce headless deployments on Vercel or Netlify create a separate SSL layer — Catalyst and custom Next.js storefronts carry certificates outside the BigCommerce platform that expire independently
Agencies building headless BigCommerce storefronts with Catalyst or custom Next.js frontends deploy the frontend layer to Vercel, Netlify, or a self-managed CDN. The frontend deployment carries its own SSL certificate managed by the deployment platform — independent from BigCommerce's Fastly SSL management
A headless BigCommerce storefront where Catalyst runs on Vercel and the BigCommerce API serves product and cart data has two independent SSL paths: the Vercel SSL for the frontend domain and the BigCommerce Fastly SSL for the backend. The Vercel SSL renews automatically as long as the frontend domain's CNAME record continues to resolve to Vercel's edge network. When the agency migrates the Vercel project to a different team account or the client updates their DNS configuration, the Vercel SSL renewal fails silently. The storefront continues serving from Vercel's CDN cache, masking the SSL failure until cache invalidation — at which point visitors see a certificate error on the main storefront domain without any forewarning.
How it works
SSL and DNS monitoring for BigCommerce agencies across SaaS storefronts, Multi-Storefront brand domains, and headless deployments.
Merlonix monitors CNAME integrity and SSL health across every BigCommerce custom domain — including Multi-Storefront secondary brand domains and headless Catalyst frontends on Vercel — and catches Fastly CDN SSL renewal failures before client storefronts return certificate errors.
01
Add BigCommerce store domains, Multi-Storefront brand domains, and headless frontend endpoints
Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — Multi-Storefront secondary brand domains, API subdomains for headless deployments, and checkout endpoints — are added without additional verification. Monitoring secondary brand storefronts catches Multi-Storefront SSL expiry before clients in wholesale or regional markets report errors. Under two minutes per client.
02
CNAME integrity checks on BigCommerce Fastly CDN delegations and headless deployment edge networks
Three independent DNS resolvers check every CNAME delegation on every monitoring interval. When a client changes DNS registrar and the new DNS zone is missing the Fastly CNAME that BigCommerce SSL depends on, the mismatch is detected immediately. When a client enables Cloudflare's orange-cloud proxy on the BigCommerce domain, breaking the Fastly SSL path, the CNAME change surfaces in the next monitoring interval. When a headless Catalyst deployment migrates to a new Vercel team and DNS is updated, any CNAME change on the frontend domain is detected before the Vercel SSL renewal fails.
03
SSL monitoring 30 days before expiry across all BigCommerce storefronts, brand domains, and headless endpoints
Full SSL chain validation on every BigCommerce custom domain, Multi-Storefront secondary brand domain, and headless frontend deployment. An expiry alert fires 30 days before the certificate expires — enough lead time to identify whether the failure is a CNAME drift issue, a Cloudflare proxy conflict, or a Vercel project migration, and correct the DNS configuration before customers see a storefront certificate error. Checkout subdomains and API endpoints are monitored on the same 30-day schedule as the primary storefront.
04
Vendor status for BigCommerce, Fastly, and common headless deployment platforms
Merlonix monitors BigCommerce, Fastly, Vercel, and Netlify status alongside client SSL and DNS. When a Fastly infrastructure incident causes SSL validation failures across multiple BigCommerce client storefronts simultaneously, you see the vendor event — not a cascade of individual client alerts that each require separate investigation to determine whether the cause is a client DNS change or a platform-wide CDN incident.
What the numbers mean for BigCommerce agencies
Monitoring built for BigCommerce agencies where one client can mean multiple storefronts, brand domains, and a headless frontend — each with independent SSL.
BigCommerce agencies running Multi-Storefront for multi-brand clients need SSL monitoring that covers every mapped storefront domain — because a secondary brand certificate expiring blocks that storefront while the primary store is unaffected, and Fastly CDN SSL failures after client DNS changes are silent until the certificate runs out.
< 10 min
Time from DNS change to alert — catches Fastly CNAME breaks caused by client DNS registrar migrations and Cloudflare proxy changes before the BigCommerce SSL certificate expires and storefront customers see a security warning
30 days
SSL expiry warning lead time — enough time to identify CNAME drift, correct DNS configuration, or re-provision BigCommerce or Vercel SSL before Multi-Storefront brand domains or headless frontends return certificate errors to customers
11 vendors
Upstream services monitored — BigCommerce, Fastly, Vercel, and Netlify included to distinguish platform incidents from individual client DNS changes affecting BigCommerce storefront SSL renewals
200 assets
Maximum monitored domains on the Agency plan — covers primary storefronts, Multi-Storefront brand domains, headless frontend endpoints, and API subdomains across a full BigCommerce client portfolio
Pricing
Flat monthly fee. Every Multi-Storefront brand domain and headless endpoint included.
No per-domain charges. No per-storefront fees. Pick the tier that fits your BigCommerce client count and monitor every custom domain without billing surprises.
Starter
For individual BigCommerce developers managing a small client portfolio on the SaaS platform.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For BigCommerce agencies managing Multi-Storefront clients and headless deployments.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full BigCommerce client roster across SaaS storefronts and Catalyst headless builds.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when a BigCommerce store domain or Fastly SSL is about to fail.
Add your first BigCommerce client domain in under two minutes. Multi-Storefront brand domains and headless Catalyst endpoints are monitored from the same dashboard. 14-day trial, no card required.