Self-hosted means you own
every SSL failure on your clients' behalf.
Craft CMS agencies manage self-hosted deployments where the agency controls the SSL lifecycle directly. Let's Encrypt auto-renewal breaks silently after PHP upgrades, server migrations, and Nginx config changes. CAA records from previous certificate authorities block re-issuance without a visible error. Multi-environment subdomain configurations — staging, dev, API, CDN-proxied production — create a monitoring surface that standard uptime checks miss entirely.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Vendors watched
- 11
- Independent DNS resolvers
- 3
Where Craft CMS agencies get caught out
Three failure modes specific to self-hosted Craft CMS deployments.
Craft CMS agencies own the SSL lifecycle in a way that hosted-platform agencies do not. Self-hosting means direct responsibility for renewal processes, certificate authority relationships, and multi-environment subdomain configurations — and all of those fail silently without external monitoring.
Let's Encrypt renewal failure
Let's Encrypt auto-renewal breaks silently after server configuration changes
Craft CMS sites run on VPS or dedicated servers where certbot or acme.sh manages Let's Encrypt renewal via cron. After a PHP upgrade, Nginx configuration change, or server migration, the renewal process frequently breaks: the challenge path is no longer served, the webroot has moved, or the cron job is running as the wrong user. The existing certificate continues serving until it expires — then the site goes down with no warning.
CAA record conflict
CAA records from a previous certificate authority block re-issuance
When a Craft CMS client migrates from a commercial SSL certificate (DigiCert, Sectigo) to Let's Encrypt, or from one CA to another during a server migration, CAA records at the registrar may still restrict certificate issuance to the previous CA. Let's Encrypt's ACME challenge succeeds but certificate issuance fails because CAA validation rejects it. The failure mode is silent — certbot reports an error in its log that no one reads until the certificate expires.
Multi-environment subdomain drift
Staging, dev, API, and CDN-proxied subdomains create a wide failure surface
Craft CMS agencies typically manage multi-environment configurations: production at clientdomain.com, staging at staging.clientdomain.com, and sometimes API subdomains at api.clientdomain.com. CDN-proxied production adds Cloudflare or Fastly CNAME records on top. Each environment has its own SSL certificate and its own renewal process. When a server migration is partial or a CDN proxy rule breaks, specific subdomains fail while the production site stays up — masking the failure until clients or their end users notice.
How it works
SSL and DNS monitoring for self-hosted Craft CMS deployments.
Merlonix is designed for agencies managing self-hosted CMS deployments where the SSL and DNS lifecycle is directly owned by the agency. One account covers every client site, every environment subdomain, with alerts that give you time to fix renewal processes before certificates expire.
01
Add production domains and all environment subdomains
Verify ownership with a DNS TXT record — works for production, staging, dev, API, and CDN-proxied subdomains. One verification per apex domain covers all subdomains. For multi-environment Craft CMS deployments, add every subdomain independently to get per-environment SSL chain validation.
02
Full certificate chain validation catches renewal failures before expiry
Merlonix validates the complete certificate chain on every check interval — expiry date, issuer, chain completeness, SAN coverage. Broken renewal processes are visible as chain integrity changes before expiry: when certbot renews from Let's Encrypt but the Nginx config isn't reloaded, the new certificate chain is present on disk but the server serves the old one. That chain mismatch fires an alert.
03
DNS record monitoring across CDN proxy layers
Three independent DNS resolvers verify CNAME, A record, and NS record integrity for every monitored subdomain. When a CDN proxy rule breaks — a Cloudflare orange-cloud toggle, a Fastly service misconfiguration — the DNS layer change fires an alert within minutes. CDN-proxied Craft CMS deployments have a failure layer that pure HTTP uptime checks cannot see.
04
CAA record monitoring prevents silent re-issuance failures
Merlonix includes DNS record monitoring for CAA records — the DNS records that control which certificate authorities are permitted to issue certificates for a domain. When CAA records are inherited from a previous CA and block Let's Encrypt re-issuance, the conflict is visible in the DNS layer before the certificate expires.
What the numbers mean for Craft CMS agencies
Monitoring built for self-hosted SSL complexity.
Craft CMS agencies own more of the infrastructure stack than agencies working with hosted platforms. That ownership creates direct responsibility for SSL renewal processes, CAA record configuration, and multi-environment subdomain health. Merlonix is built to make that responsibility visible before client sites fail.
30 days
SSL expiry warning lead time — enough time to diagnose and fix Let's Encrypt renewal failures before certificates expire
< 10 min
Time from DNS change to alert — catches CDN proxy layer breaks and nameserver changes before end users notice
11 vendors
Upstream services monitored — CDN and hosting provider status included so you see infrastructure incidents before clients call
200 assets
Maximum monitored domains on the Agency plan — covers production, staging, API, and CDN-proxied subdomains across a full Craft CMS client roster
Pricing
Flat monthly fee. Every domain and subdomain included.
No per-domain charges. No per-environment fees. Pick the tier that fits your Craft CMS client count and cover every subdomain without billing surprises.
Starter
For consultants managing a small Craft CMS client portfolio.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For Craft CMS agencies with multiple self-hosted client deployments.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full Craft CMS client roster including multi-environment subdomain configurations.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know before the renewal cron fails.
Add your first Craft CMS client domain in under two minutes. The first SSL chain alert tells you whether monitoring was worth it — usually within the first week. 14-day trial, no card required.