Django deploys api.*, admin.*, and app.* subdomains.
Each carries an independent Certbot certificate. Security hardening after launch silently breaks renewal on all of them.
Django agencies running Gunicorn and Nginx on VPS deal with Certbot renewal failures caused by post-launch UFW rules blocking port 80, Django REST Framework API subdomains carrying independent Let's Encrypt certificates outside the main monitoring setup, and platform migrations from Heroku to Railway or Render that leave SSL gaps when custom domain verification is not completed before DNS is updated. Merlonix monitors SSL and DNS so you catch certificate failures before clients see browser warnings.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Independent DNS resolvers
- 3
- Vendors watched
- 11
Where Django agencies get caught out
Three failure modes specific to Django deployments on Gunicorn, Nginx, and managed PaaS platforms.
Django agencies running Certbot on Nginx deal with post-launch security hardening that silently breaks port 80 and stops Let's Encrypt renewal across every certificate on the server, REST Framework API subdomains carrying independent certificates outside the main monitoring setup, and platform migrations to Railway or Render that leave SSL gaps when DNS is updated before domain verification is complete.
Certbot HTTP-01 renewal requires port 80 to be accessible — post-launch security hardening that blocks port 80 via UFW or security group rules causes Certbot to fail renewal silently across every Nginx-managed certificate on the server
Django agencies apply security hardening to VPS deployments after the application goes live: UFW rules are tightened, cloud security groups are updated to close non-application ports, or a client's security audit requires blocking port 80 at the infrastructure layer. Certbot's HTTP-01 challenge requires that port 80 is accessible from Let's Encrypt's validation servers. When port 80 is closed, every certificate managed by Certbot on that server stops renewing
A Django application deployed to a DigitalOcean Droplet with Gunicorn and Nginx receives a security hardening pass three weeks after launch: UFW is configured to allow only 443, the application port, and SSH. Port 80 is blocked. Nginx redirects port 80 to 443 for existing HTTP requests via a server block, but Certbot's cron job cannot complete the HTTP-01 challenge because Let's Encrypt's validation servers cannot reach port 80 on the droplet. The renewal attempt fails silently. The agency has three domains on the same server — the main application, the admin panel, and the API subdomain — each with an independent Certbot certificate, all of which will fail to renew at their next 90-day cycle. The failure is discovered when a client's mobile application starts reporting SSL handshake errors on the API subdomain.
Django REST Framework APIs typically deploy on api.* or api-v2.* subdomains, each requiring an independent Let's Encrypt certificate — a subdomain added during a sprint may have its Nginx config but not its Certbot certificate configured
A Django application with a REST API, an admin panel, and a consumer frontend deploys across api.clientapp.com, admin.clientapp.com, and app.clientapp.com — each with its own Nginx server block and each requiring a separate Certbot certificate. Subdomains added during subsequent development sprints get Nginx configuration but are not always added to the Certbot certificate list
An agency builds a Django application that ships with three subdomains: the main app, a DRF REST API, and an internal admin panel. Each subdomain gets its own Nginx server block and Certbot certificate during initial deployment. Six months later, the client adds a mobile app. A webhook endpoint is added at webhooks.clientapp.com and a media upload API at upload.clientapp.com. Both get Nginx server blocks during the sprint. The engineer deploying the sprint does not run `certbot certonly` for the two new subdomains. The Nginx blocks serve HTTP without SSL or with a self-signed certificate. The mobile app's webhook receiver fails SSL validation in the App Store review. The agency is notified through the client's app rejection email, not through a monitoring alert.
Migrating a Django application from Heroku to Railway or Render requires custom domain re-verification and SSL re-provisioning on the new platform — if DNS is updated before the new platform has verified the domain, SSL provisioning fails and the migration window leaves the application on an expired or absent certificate
Heroku's ACM (Automated Certificate Management) provisions and renews SSL automatically for custom domains. When a Django application migrates to Railway, Render, or Fly.io, the new platform also handles SSL automatically — but only after the custom domain has been verified via a CNAME or A record that points at the new platform. If DNS is updated to the new platform before domain verification is complete, the SSL provisioning check fails on the new platform and no certificate is issued
A Django application on Heroku migrates to Railway after Heroku ends its free tier. The agency updates DNS A records to point at Railway's IP addresses before adding and verifying the custom domain in the Railway project settings. Railway detects the new domain's DNS records pointing at its infrastructure but cannot complete the domain verification because the CNAME token used for verification was not added to DNS before the A records were updated. SSL provisioning is blocked. The Django application loads over HTTP only on the new platform while Railway waits for domain verification. The migration was intended to be a same-day cutover. The agency discovers the SSL gap the following morning when the client's SEO report flags the site as serving mixed content.
How it works
SSL and DNS monitoring for Django agencies across Gunicorn and Nginx VPS deployments, DRF API subdomains, and managed platform migrations.
Merlonix monitors SSL expiry and DNS A record integrity across every Django application subdomain — api.*, admin.*, and app.* — and catches Certbot renewal failures caused by security hardening, platform migrations, or unconfigured DRF API subdomains before the 90-day certificate expires and the client's application returns SSL errors.
01
Add Django application domains — apex, API, admin, and webhook subdomains — with DNS TXT record verification
Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — api.*, admin.*, app.*, webhooks.*, and upload.* — are added without additional verification. Monitoring every Django subdomain from a single apex registration ensures that subdomains added during DRF API development sprints are covered alongside the primary application domain. Under two minutes per client.
02
A record and CNAME integrity monitoring for VPS IP addresses and managed platform endpoints across Railway, Render, and Fly.io
Three independent DNS resolvers check every A record and CNAME delegation on every monitoring interval. When a Django application migrates from Heroku to Railway and DNS is updated to Railway's infrastructure, the new IP is validated across all monitored subdomains. When a subdomain was missed during a VPS migration and DNS still resolves to the old server's IP, the mismatch surfaces at the next monitoring interval. DNS change monitoring provides the audit trail that confirms a platform migration completed correctly across all Django application subdomains.
03
SSL monitoring 30 days before expiry across all Certbot-managed and platform-provisioned Django application certificates
Full SSL chain validation on every Django application subdomain — api.*, admin.*, app.*, webhook endpoints, and any Nginx-hosted endpoint. An expiry alert fires 30 days before the certificate expires — enough lead time to identify whether the failure is a port 80 block from security hardening, a Certbot profile gap from a VPS migration, a subdomain never configured in Certbot, or a platform-managed certificate that was never provisioned after a failed domain verification. Catches Certbot renewal failures on the 90-day cycle before the certificate expires and the client's application returns SSL errors.
04
Vendor status for Django hosting providers to distinguish infrastructure incidents from application SSL and DNS configuration failures
Merlonix monitors DigitalOcean, Hetzner, Railway, Render, Fly.io, and AWS status pages alongside client SSL and DNS. When a DigitalOcean regional incident causes connectivity failures across multiple Django client deployments simultaneously, you see the vendor event — not a cluster of individual SSL and DNS alerts that each require separate investigation to determine whether the root cause is a hosting platform outage or a Certbot renewal failure requiring configuration changes on the VPS.
What the numbers mean for Django agencies
Monitoring built for Django agencies where one client application means multiple subdomains, each with an independent Certbot certificate that can fail silently after a single security hardening change.
Django agencies managing Certbot across api.*, admin.*, and app.* subdomains on Gunicorn and Nginx need SSL monitoring that covers every configured subdomain — because a Certbot renewal failure on the API subdomain after UFW security hardening is silent until the 90-day certificate expires and the mobile app returns SSL handshake errors.
< 10 min
Time from DNS change to alert — catches VPS migration IP changes and Django subdomain DNS drift caused by platform migrations or registrar changes before the application returns SSL errors to clients
30 days
SSL expiry warning lead time — enough time to identify a Certbot renewal failure caused by port 80 security hardening, a VPS migration gap, an unconfigured DRF API subdomain, or a failed platform domain verification, and correct the setup before the certificate expires
11 vendors
Upstream services monitored — DigitalOcean, Hetzner, Railway, Render, Fly.io, and AWS included to distinguish infrastructure outages from Django application SSL and DNS failures requiring Certbot or platform configuration changes
200 assets
Maximum monitored domains on the Agency plan — covers primary application domains, DRF API subdomains, admin panels, webhook endpoints, and media origins across a full Django client portfolio
Pricing
Flat monthly fee. Every Django subdomain and API endpoint included.
No per-subdomain charges. No per-server fees. Pick the tier that fits your Django client count and monitor every application endpoint without billing surprises.
Starter
For individual Django developers managing a small client portfolio on VPS with Certbot.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For Django agencies managing multi-subdomain deployments and platform migrations.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full Django client roster across VPS providers and managed platforms.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when a Django API subdomain or Certbot certificate is about to expire.
Add your first Django client domain in under two minutes. API subdomains, admin panels, and webhook endpoints are monitored from the same dashboard. 14-day trial, no card required.