Firebase Auth password-reset emails contain a link to a configured action handler URL.
When that custom-domain cert breaks, password resets go to nowhere — and the rest of your app keeps working perfectly.
Firebase agencies building on Firebase Hosting + Cloud Functions + Firebase Auth deal with custom-domain auto- managed cert renewal silently failing after registrar NS changes (the ACME http-01 challenge can no longer complete), Cloud Functions HTTPS callable endpoints inheriting the same custom-domain SSL break (the mobile app fails while the Firebase console shows the function as healthy), and Firebase Auth action handler URL SSL failures that silently break password reset and email verification flows. Merlonix monitors SSL and DNS so users don't hit a broken password reset link before you know the cert was wrong.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Independent DNS resolvers
- 3
- Vendors watched
- 11
Where Firebase agencies get caught out
Three failure modes specific to Firebase deployments with custom-domain Hosting, Cloud Functions HTTPS callable rewrites, and Firebase Auth action handler URLs.
Firebase agencies deal with Firebase Hosting custom-domain auto-managed Let's Encrypt cert renewal silently failing after registrar NS changes (ACME http-01 challenge can no longer complete; site falls back to serving the firebaseapp.com edge cert which mismatches the custom domain), Cloud Functions HTTPS callable endpoints inheriting the same custom-domain SSL break (mobile app fails while Firebase console shows the function as healthy), and Firebase Auth action handler URL SSL failures that silently break password reset and email verification flows while the rest of the app works perfectly.
Firebase Hosting custom-domain auto-managed Let's Encrypt cert renewal depends on Firebase being able to complete the ACME http-01 challenge against the configured custom domain — when registrar NS records change (often during a domain transfer or a security review that resets NS to the registrar default), the ACME challenge can no longer reach Firebase and the auto-managed cert silently fails to renew. The site keeps loading because Firebase serves its own edge cert from firebaseapp.com, but the cert mismatches the custom domain and browsers begin showing cert warnings
A Firebase agency operates a client product at app.client.com (Firebase Hosting custom domain pointing at <project>.web.app). The client moves the domain from one registrar to another for billing consolidation. The new registrar resets NS records to its default. Firebase's ACME challenge can no longer complete. 60 days later, the auto-managed cert at app.client.com expires; browsers show "NET::ERR_CERT_AUTHORITY_INVALID" because Firebase falls back to serving the firebaseapp.com edge cert which doesn't match app.client.com
A Firebase agency operates a client B2C product at app.client.com hosted on Firebase Hosting with a custom domain pointing at the project's default web.app subdomain. Firebase's auto-managed Let's Encrypt cert renews automatically every 60 days via ACME http-01 validation. The client requests a domain transfer between registrars for billing consolidation. The new registrar's default NS configuration is set during transfer; the agency engineer doesn't notice that the original NS records (which Firebase had relied on for ACME validation) have been replaced with the registrar default. Three weeks pass with no visible issues — the existing cert is still valid. Two months in, Firebase attempts the renewal cycle. The ACME http-01 challenge can no longer complete because the new NS records don't serve the validation TXT record Firebase expects. The cert silently fails to renew. After expiry, Firebase falls back to serving the project's default firebaseapp.com edge cert at app.client.com — which produces NET::ERR_CERT_AUTHORITY_INVALID because the cert subject is firebaseapp.com, not app.client.com. Users start seeing browser cert warnings on every page load. The agency engineer assumes it's a Firebase platform incident and opens a Firebase support ticket; the actual root cause is the registrar NS reset two months earlier.
Cloud Functions HTTPS callable endpoints fronted by Firebase Hosting rewrites (the standard pattern for serving custom domains from Cloud Functions) inherit the Firebase Hosting custom-domain SSL — when that custom-domain cert breaks, the mobile app's Cloud Function calls fail with cert errors while the Firebase console continues to show the function as healthy because it's reachable via the default cloudfunctions.net URL
A Firebase agency routes the client mobile app's API calls through Firebase Hosting rewrites: api.client.com/v1/users → us-central1-project.cloudfunctions.net/users. When the api.client.com auto-managed cert breaks, the mobile app's Cloud Function calls fail with cert errors. The Firebase console shows the underlying Cloud Function as healthy (it's reachable via the cloudfunctions.net URL). The agency engineer can't reproduce the failure from the Firebase console testing UI — the cert breakage is invisible from the platform's admin surface
A Firebase agency builds a client mobile app where the React Native frontend calls api.client.com/v1/users to fetch user data. The agency uses Firebase Hosting rewrites to route api.client.com/v1/* to a Cloud Function deployed at us-central1-project.cloudfunctions.net/users. The Firebase Hosting custom-domain auto-managed cert at api.client.com handles SSL termination. When a registrar NS change breaks ACME validation (same root cause as Problem 1), the api.client.com cert silently expires. The mobile app's Cloud Function calls start failing with NET::ERR_CERT_AUTHORITY_INVALID. The agency engineer logs into the Firebase console to investigate; the Cloud Functions section shows every function as healthy — recent invocations from the cloudfunctions.net URL succeeded, error rates are normal. The Firebase Hosting section doesn't prominently surface the custom-domain cert state. The agency engineer spends an afternoon ruling out Cloud Function-level issues (cold starts, region routing, IAM, environment variables) before checking the Firebase Hosting custom-domain settings panel and seeing the cert expiry date in red.
Firebase Auth action handler URLs (the URL Firebase sends in password-reset and email-verification emails) are configured in the Firebase Auth dashboard to point at a specific URL — when that URL is on a custom domain whose cert breaks, password reset and email verification flows silently fail because users click the email link and hit a cert error. The rest of the app works fine because it goes through different infrastructure
A Firebase agency configures the Firebase Auth action handler URL as https://app.client.com/__/auth/action so password-reset emails contain links to the app's custom domain (instead of the default firebaseapp.com URL). When the custom-domain cert breaks, password-reset emails contain links that produce browser cert warnings. Users who try to reset their password click the link, see the cert warning, and bounce. The rest of the app works perfectly because it doesn't depend on the action handler URL
A Firebase agency operates a client product where Firebase Auth handles user accounts. To preserve brand consistency, the agency configured the Firebase Auth action handler URL as https://app.client.com/__/auth/action (overriding the default firebaseapp.com action handler) so password-reset and email-verification emails contain links to the client's custom domain. The custom-domain auto-managed cert at app.client.com breaks (registrar NS change, same root cause). The rest of the app continues working — Firestore reads, Cloud Functions calls via different routing, and authenticated session refresh all use Firebase's default infrastructure that bypasses the custom-domain cert. But password-reset and email-verification flows silently break. Users receive the password-reset email, click the link, see "Connection is not private" in their browser, and bounce. The agency's customer support starts receiving "I can't reset my password" tickets. The agency engineer tests password reset from their dev console (which uses the default firebaseapp.com action handler — the override only applies to production templates) and can't reproduce. Three days of debugging Firebase Auth flow logic before checking the production action handler URL in a browser and seeing the cert error.
How it works
SSL and DNS monitoring for Firebase agencies across Hosting custom-domain auto-managed certs, Cloud Functions HTTPS callable rewrites, and Firebase Auth action handler URL SSL.
Merlonix monitors SSL expiry and CNAME integrity across every Firebase-attached subdomain — apex, app.*, api.* (Cloud Functions rewrite hosts), auth.* (Auth action handler hosts), plus per-tenant subdomains — and catches renewal failures caused by registrar NS changes that break Firebase's ACME http-01 challenge, Cloud Function endpoints inheriting a broken custom-domain cert (mobile app fails while the Firebase console shows the function as healthy), and Firebase Auth action handler URL hosts whose cert is about to silently break password-reset and email-verification flows.
01
Add Firebase project domains — apex, app.*, api.* (Cloud Functions rewrite hosts), auth.* (Auth action handler hosts), plus per-tenant subdomains — with DNS TXT record verification
Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — app.*, api.* (Firebase Hosting rewrite hosts fronting Cloud Functions), auth.* (Firebase Auth action handler hosts), plus per-tenant subdomains — are added without additional verification. Monitoring every Firebase-attached subdomain from a single apex registration ensures that custom-domain failure modes (auto-managed cert renewal silently breaking, Cloud Function call failures invisible from the Firebase console, password-reset email links going to broken cert pages) are all caught from a single apex registration. Under two minutes per client.
02
CNAME and A record monitoring across firebaseapp.com / web.app aliases, registrar NS changes that break Firebase ACME validation, and per-project custom-domain attachments
Three independent DNS resolvers check every CNAME delegation on every monitoring interval. When a client's registrar NS records change (often during a domain transfer or a security review), Firebase's ACME http-01 challenge can no longer complete and the auto-managed cert silently fails to renew on the next 60-day cycle. The DNS change is logged immediately so the cert renewal failure two months later has a clear root cause rather than appearing as a mysterious "Firebase outage" requiring a support ticket.
03
SSL monitoring 30 days before expiry across Firebase Hosting custom-domain certs, Cloud Functions HTTPS callable endpoints fronted by Firebase Hosting rewrites, and Firebase Auth action handler URL hosts
Full SSL chain validation on every Firebase-attached subdomain — apex, app.*, api.*, auth.*, plus per-tenant subdomains. An expiry alert fires 30 days before the certificate expires — enough lead time to identify whether the failure is a registrar NS change blocking Firebase's ACME http-01 validation, a Cloud Functions HTTPS callable endpoint inheriting a broken custom-domain cert (mobile app failing while Firebase console shows the function as healthy), or a Firebase Auth action handler URL host whose cert is about to break password-reset email flows. Catches Firebase-side cert renewal failures while the public site still appears to load and Cloud Functions invocation rates look normal in the Firebase console.
04
Vendor status for Firebase, Google Cloud (underlying infrastructure), Apple Developer / APNs, Google Play Store, and other typical Firebase-stack vendors to distinguish infrastructure incidents from Firebase-specific custom-domain SSL configuration failures
Merlonix monitors Firebase, Google Cloud, Apple Developer / APNs, Google Play Store, and other typical Firebase-stack vendors' status pages alongside client SSL and DNS. When a Firebase regional incident causes Cloud Function calls to fail across multiple client deployments simultaneously, you see the vendor event — not a cluster of individual SSL alerts that each require separate investigation to determine whether the root cause is a Firebase regional outage, a registrar NS change breaking auto-managed cert renewal, or a Firebase Auth action handler URL whose cert just broke password-reset flows.
What the numbers mean for Firebase agencies
Monitoring built for Firebase agencies where one client product means a Firebase Hosting custom-domain at app.*, a Cloud Functions HTTPS callable rewrite at api.*, and a Firebase Auth action handler URL at auth.* — each a separate SSL surface that fails differently when the auto-managed cert breaks.
Firebase agencies managing custom-domain auto-managed cert renewal across multi-client deployments, Cloud Functions HTTPS callable endpoints fronted by Firebase Hosting rewrites, and Firebase Auth action handler URLs that ride on the same custom domains need monitoring that covers every Firebase- attached subdomain — because a registrar NS change is silent until the next 60-day Firebase auto-renewal cycle, and the Firebase console keeps showing Cloud Functions as healthy while the mobile app fails because the underlying custom- domain cert quietly expired.
< 10 min
Time from DNS change to alert — catches registrar NS changes that break Firebase Hosting auto-managed cert renewal, CNAME flips on Cloud Functions custom-domain rewrite hosts that break the mobile app while Firebase console shows the function as healthy, and Auth action handler URL host CNAME changes
30 days
SSL expiry warning lead time — enough time to identify a registrar NS change blocking Firebase's ACME http-01 validation, a Cloud Functions custom-domain rewrite host with an about-to-expire cert, or a Firebase Auth action handler URL host whose cert is about to silently break password-reset email flows
11 vendors
Upstream services monitored — Firebase, Google Cloud, Apple Developer / APNs, Google Play Store, and other typical Firebase-stack vendors included to distinguish provider outages from Firebase-specific custom-domain SSL configuration failures
200 assets
Maximum monitored domains on the Agency plan — covers Firebase project apex, app.*, api.* Cloud Function rewrite hosts, auth.* action handler hosts, and per-tenant subdomains across a full Firebase client portfolio
Pricing
Flat monthly fee. Every Firebase project subdomain and Cloud Function rewrite host included.
No per-subdomain charges. No per-Firebase-project fees. Pick the tier that fits your Firebase client and project count and monitor every app.*, api.* (Cloud Function rewrite), auth.* (Action handler), and per-tenant subdomain without billing surprises.
Starter
For individual Firebase developers managing a small client portfolio with single-project Firebase Hosting custom domains.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For Firebase agencies managing multi-project client deployments with separate app.*, api.* (Cloud Function rewrites), and auth.* (Action handler) subdomains.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full Firebase client roster including per-tenant Hosting subdomains and multi-region Cloud Function rewrite hosts.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when a Firebase Auth action handler URL is about to silently break password-reset emails.
Add your first Firebase client domain in under two minutes. app.*, api.* (Cloud Function rewrites), auth.* (Action handler), and per-tenant subdomains across every Firebase project for that client are monitored from the same dashboard. 14-day trial, no card required.