Drupal serves multiple client domains from one codebase.
Each domain has independent SSL — and none share renewal schedules.
Drupal agencies on Acquia, Pantheon, and Platform.sh manage SSL across multiple environments per client — dev, test, and live each get their own certificate. Drupal multisite configurations run multiple client domains from a single codebase, each with independent SSL. Decoupled Drupal builds add a frontend CDN domain with SSL independent from the JSON:API backend. Merlonix monitors SSL and DNS so you see expiry before clients do.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Independent DNS resolvers
- 3
- Vendors watched
- 11
Where Drupal agencies get caught out
Three failure modes specific to Drupal client deployments on Acquia, Pantheon, and Platform.sh.
Drupal agencies managing enterprise hosting environments deal with Pantheon Let's Encrypt silent renewal failures, Acquia per-environment SSL that expires independently, and decoupled backend SSL expiry that surfaces as missing content rather than SSL errors.
Pantheon Let's Encrypt renewal fails silently when the HTTPS upgrade is enabled but the client DNS CNAME changes
Pantheon's HTTPS upgrade feature enables automatic SSL provisioning — but when a client moves their DNS to a new provider and removes or changes the CNAME pointing at Pantheon, Let's Encrypt renewal fails at the next renewal cycle with no notification to the agency
Pantheon's HTTPS upgrade setting provisions Let's Encrypt certificates for Drupal client domains using Pantheon's CNAME target as the domain routing mechanism. When a client migrates DNS to a new registrar or DNS provider — which is common during website relaunches, registrar consolidations, or IT handoffs — the new DNS zone may not include the correct Pantheon CNAME. Pantheon's Let's Encrypt certificates have a 90-day validity period and renew automatically only when the CNAME is correctly pointing at the Pantheon infrastructure. If the CNAME is changed and the renewal cycle occurs with the wrong DNS configuration, the renewal fails silently. The existing certificate continues to serve until expiry. The failure is discovered either when the 90-day certificate expires and the Drupal site begins returning SSL errors to every visitor, or when the agency manually checks the certificate in the browser — not from any automated Pantheon notification.
Acquia provisions separate SSL per environment — dev, test, and live each expire independently
Drupal agencies on Acquia manage SSL for at least three environments per client: dev.clientdomain.com, test.clientdomain.com, and live.clientdomain.com — each with a certificate provisioned separately and expiring on a different date
Acquia's hosting architecture provides each Drupal environment with its own custom domain configuration and SSL certificate. Agencies connecting client domains to Acquia environments add CNAMEs for each environment separately, and each certificate is provisioned individually. Development and test environment SSL certificates receive less monitoring attention than production — they are accessed less frequently and their SSL errors are less visually obvious. When test.clientdomain.com SSL expires, client QA teams and internal stakeholders begin seeing SSL errors before the production site is affected, creating confusion about whether a deployment caused a problem or the certificate simply expired. Agencies managing multiple Drupal clients on Acquia face SSL expiry risk across every environment for every client — not just production.
Decoupled Drupal builds add a frontend CDN domain with SSL independent from the JSON:API backend
Decoupled Drupal architectures run a Drupal JSON:API backend on one domain and a React, Next.js, or Gatsby frontend on another — both require independent SSL, and the frontend CDN domain is often managed by a different team member than the Drupal server
Drupal agencies building decoupled or headless applications deploy the Drupal backend on a subdomain (api.clientdomain.com, cms.clientdomain.com, or a separate domain entirely) and a JavaScript frontend on the primary client domain via a CDN like Netlify or Vercel. The Drupal backend SSL is managed by whoever provisions the Acquia, Pantheon, or Platform.sh environment. The frontend CDN SSL is managed by Netlify or Vercel's certificate provisioning. The two certificates expire independently. When the Drupal JSON:API backend SSL expires, the frontend continues to appear to load — but all API data fetching fails. Users see the site's shell with empty content or loading spinners. For editorial-heavy clients, the first visible sign is often a client reporting that new content is not appearing on the site — not a browser SSL error that directly points to the cause.
How it works
SSL and DNS monitoring for Drupal applications on Acquia, Pantheon, Platform.sh, and Kinsta.
Merlonix monitors CNAME integrity and SSL health across every Drupal environment — dev, test, and live — along with Drupal multisite domains and decoupled backend API subdomains.
01
Add production domains, environment subdomains, and decoupled frontend/backend endpoints
Verify ownership with a DNS TXT record on the apex domain. Acquia dev/test/live environment subdomains, Drupal multisite domains, decoupled backend API subdomains, and Pantheon CNAME targets are added without additional verification. Monitoring all environments catches Acquia environment expiry and Pantheon renewal failures before internal users or client QA teams encounter SSL errors. Under two minutes per client.
02
CNAME integrity checks on Acquia, Pantheon, and Platform.sh hostnames
Three independent DNS resolvers check every CNAME delegation on every monitoring interval — whether the target is an Acquia server hostname, a Pantheon site hostname, a Platform.sh environment URL, or a Kinsta domain mapping. When a client DNS change removes or updates a Pantheon CNAME — causing Let's Encrypt renewal to fail at the next cycle — the target mismatch is detected immediately. When a Platform.sh environment branch is deleted and a subdomain loses its CNAME routing, the break is detected before clients report it.
03
SSL monitoring 30 days before expiry across all Drupal environments and decoupled endpoints
Full SSL chain validation on every Drupal environment domain, Drupal multisite domain, and decoupled frontend and backend subdomain. An expiry alert fires 30 days before the certificate expires — enough lead time to verify Pantheon Let's Encrypt renewal status, check Acquia environment certificate health, or provision a replacement for a failed renewal. All certificates are monitored regardless of which environment or platform provisioned them.
04
Vendor status for Acquia, Pantheon, Platform.sh, and Kinsta
Merlonix monitors Acquia, Pantheon, Platform.sh, and Kinsta platform status alongside client SSL and DNS. When a Pantheon infrastructure incident causes SSL validation failures across multiple Drupal client environments simultaneously, you see the vendor event — not a cascade of individual client alerts that each require separate investigation to determine whether the cause is client-specific or platform-wide.
What the numbers mean for Drupal agencies
Monitoring built for Drupal agencies where one client means three environments, each with independent SSL.
Drupal agencies managing Acquia and Pantheon environments need SSL monitoring that covers every environment subdomain — because dev and test environment certificate expiry affects client QA teams before production is touched, and decoupled backend SSL expiry surfaces as missing content rather than a browser SSL error.
< 10 min
Time from DNS change to alert — catches Pantheon CNAME changes that would block Let's Encrypt renewal and Acquia domain misconfigurations before they affect client environments
30 days
SSL expiry warning lead time — enough time to verify Pantheon or Acquia certificate renewal, or provision a replacement across all Drupal environments before clients see SSL errors
11 vendors
Upstream services monitored — Acquia, Pantheon, and Platform.sh included to distinguish platform incidents from client DNS changes on Drupal deployments
200 assets
Maximum monitored domains on the Agency plan — covers production, dev, test, multisite domains, and decoupled frontend/backend endpoints across a full Drupal client roster
Pricing
Flat monthly fee. Every environment subdomain and decoupled endpoint included.
No per-domain charges. No per-platform fees. Pick the tier that fits your Drupal client count and monitor every environment without billing surprises.
Starter
For individual Drupal developers managing a small client portfolio across Pantheon or Acquia.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For Drupal agencies managing multi-environment client deployments on Acquia, Pantheon, or Platform.sh.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full Drupal client roster across multiple enterprise hosting platforms.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when a Drupal environment certificate or decoupled backend SSL is about to expire.
Add your first Drupal client domain in under two minutes. Dev, test, and live environment subdomains, Drupal multisite domains, and decoupled frontend and backend endpoints are monitored from the same dashboard. 14-day trial, no card required.