Flask-Login's Secure cookie is silently rejected when the cert is wrong.
Every signed-in user is logged out and Flask logs nothing because no exception is thrown.
Flask agencies running Gunicorn or uWSGI behind nginx with Certbot deal with Certbot --nginx silently re-issuing certificates against the wrong server_name when nginx site configs are copy-pasted, Flask blueprint subdomain routing where api.* and admin.* never received their own Certbot certs, and Flask-Login Secure cookies that browsers reject without any logged error when the cert is expired. Merlonix monitors SSL and DNS so users don't silently get logged out before you know the cert was wrong.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Independent DNS resolvers
- 3
- Vendors watched
- 11
Where Flask agencies get caught out
Three failure modes specific to Flask deployments on Gunicorn behind nginx with Certbot, blueprint subdomain routing, and Flask-Login Secure cookies.
Flask agencies running Gunicorn or uWSGI behind nginx deal with Certbot --nginx silently re-issuing certs against the wrong server_name when site configs are copy-pasted, blueprint subdomain routing where api.* and admin.* never received their own Certbot cert, and Flask-Login Secure cookies that browsers silently strip when the cert is expired — producing a wave of signed-out users with no exception in Flask logs.
Certbot --nginx auto-detects which server block to install a certificate against by parsing every nginx site config and matching server_name directives — when an engineer copies an existing client's nginx config to bootstrap a new client and forgets to update one of the server_name values, Certbot re-issues against the wrong vhost on the next renewal cycle and the original client's cert silently disappears
A Flask agency runs four client Flask apps on a single Hetzner VPS, each with its own /etc/nginx/sites-available/<client>.conf and Gunicorn unit file. An engineer adds a new client by copying client-a.conf to client-e.conf and editing the upstream + root paths but forgets to change the second server_name line referencing client-a.com. The next Certbot renewal cycle runs `certbot renew --nginx` which re-issues the cert against client-e.conf because that file lists both client-a.com and client-e.com under server_name. The certificate now covers client-e.com only — Certbot cleans up the old client-a-only cert from /etc/letsencrypt/live/
A Flask agency adds a new client to an existing nginx host by copying the previous client's site config and running Gunicorn under a new systemd unit. The engineer changes the upstream pass to the new Gunicorn socket and the root document directory but doesn't notice that a server block in the file lists two server_names — the original client-a.com and a forgotten test domain. Certbot --nginx parses the file on the next renewal run and decides client-a.com is now associated with the client-e.conf file. It re-issues a cert covering only client-e.com. The previous client-a-only cert is removed from /etc/letsencrypt/live/client-a.com/. Six weeks pass before client-a notices their Flask login form returns "Connection is not private" in Chrome on the next browser session. The agency engineer runs `certbot certificates` and sees client-a.com is no longer listed; reconstructing the cert requires re-issuing under the original config file with the typo fixed.
Flask blueprints with subdomain routing (Blueprint('api', __name__, subdomain='api')) make a single Flask app handle requests across multiple subdomains — but the SSL and nginx configuration for each subdomain is independent. When an agency adds an api.* blueprint without provisioning a Certbot cert for api.client.com, the api subdomain serves nginx's default snakeoil cert and every API request from the client SDK fails the TLS handshake before reaching Flask
A Flask agency builds a client SaaS with the marketing site at client.com and the JSON API at api.client.com. The Flask app uses Blueprint('api', __name__, subdomain='api') and is configured with SERVER_NAME=client.com. The agency provisions a Certbot cert for client.com and www.client.com but the production nginx config has only one server block for client.com. When the API blueprint is launched, requests to api.client.com hit nginx's default vhost which serves the unsigned snakeoil cert
A Flask agency builds a client product where the marketing site at client.com and the JSON API at api.client.com share a single Flask app via subdomain blueprints. SERVER_NAME is set to client.com in app config; the API blueprint is registered with subdomain="api"; Flask's URL routing splits requests to the appropriate blueprint based on the Host header. The agency provisions a Certbot cert via `certbot --nginx -d client.com -d www.client.com` and forgets the api.client.com argument. The api.client.com nginx vhost is never created — requests reach nginx's default server block which serves the host's self-signed snakeoil cert installed when nginx was installed. The browser SDK calling api.client.com gets net::ERR_CERT_AUTHORITY_INVALID. The agency assumes it's a Flask routing bug and spends three hours debugging blueprint configuration before realizing nginx never had an api.client.com server block at all. By then the client demo has ended.
Flask-Login's session cookie defaults to Secure=True in production via SESSION_COOKIE_SECURE = True — when the cert is expired or for the wrong domain, browsers silently strip the cookie from outgoing requests and the user appears to be logged out, but no exception is raised in Flask because no error occurs server-side; the issue is invisible to standard error monitoring
A Flask agency operates a client e-commerce app using Flask-Login for session management. SESSION_COOKIE_SECURE = True is set in production config so the session cookie is only transmitted over HTTPS. The Certbot cert expires at 03:00 UTC on a weekend. nginx continues serving the expired cert because Certbot couldn't complete renewal due to a Cloudflare proxy interaction. Browsers silently mark the cert as untrusted and refuse to send the Secure-flagged session cookie
A Flask agency operates a client e-commerce app where every signed-in user has a Flask-Login session cookie marked Secure. SESSION_COOKIE_SECURE = True is set in production config to prevent cookie transmission over plain HTTP. A Certbot renewal at 02:00 UTC fails because the client recently turned on Cloudflare's proxy (orange cloud), and Certbot --nginx's ACME http-01 challenge can't complete through Cloudflare's SSL/TLS layer. nginx continues serving the expired cert. At 03:00 the cert expires. By 09:00 client customer support tickets start arriving from users saying "I can't stay logged in." Flask logs show no errors. Sentry shows no exceptions. The Flask app continues processing anonymous requests perfectly — the issue only manifests as users repeatedly being kicked back to the login page because the browser silently dropped the Flask-Login session cookie due to the bad cert. The agency engineer doesn't connect the cert expiry to the silent logout pattern for four hours; the only signal is the support ticket volume.
How it works
SSL and DNS monitoring for Flask agencies across Gunicorn behind nginx with Certbot, blueprint subdomain routing for api.* and admin.* hosts, and Heroku and Render managed certs.
Merlonix monitors SSL expiry and DNS A record integrity across every Flask application subdomain — apex, www.*, blueprint subdomain hosts, admin and dashboard subdomains — and catches renewal failures caused by Certbot --nginx server_name collisions, missing Certbot cert provisioning for api.* blueprint hosts, or Cloudflare proxy interactions that break ACME http-01 validation before users start getting silently logged out by Flask-Login Secure cookie rejection.
01
Add Flask application domains — apex, www.*, api.*, admin.*, dash.*, app.* — including subdomain blueprint hosts, with DNS TXT record verification
Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — api.*, admin.*, dash.*, app.*, plus any subdomain blueprint hosts your Flask SERVER_NAME and Blueprint subdomain config can route to — are added without additional verification. Monitoring every Flask blueprint subdomain from a single apex registration ensures that api.* and admin.* hosts added during product expansion are covered alongside the marketing apex. Under two minutes per client.
02
A record and CNAME integrity monitoring across Gunicorn upstream nginx hosts, Heroku and Render managed apps, and Cloudflare proxied Flask deployments
Three independent DNS resolvers check every A record and CNAME delegation on every monitoring interval. When a Flask deployment moves from Hetzner to AWS mid-cert-cycle, the new resolution path is validated across all monitored subdomains. When a client turns on Cloudflare's proxy and Certbot renewal subsequently fails, the DNS change shows up in the audit log alongside the cert expiry warning so the root cause is visible in one place rather than discovered four hours into a logged-out-users incident.
03
SSL monitoring 30 days before expiry across Certbot --nginx renewals, Heroku managed certs, Render managed certs, and Cloudflare Origin Cert installations
Full SSL chain validation on every Flask application subdomain — apex, www.*, api.*, admin.*, dash.*, plus blueprint subdomain hosts. An expiry alert fires 30 days before the certificate expires — enough lead time to identify whether the failure is Certbot --nginx silently re-issuing against the wrong server_name after a copy-pasted site config, an api.* blueprint subdomain that never received its own Certbot --nginx invocation, or a Cloudflare proxy interaction blocking ACME http-01 validation. Catches Certbot renewal failures before browsers start silently rejecting Flask-Login Secure cookies and signed-in users get kicked to the login page.
04
Vendor status for Flask hosting providers and managed platforms to distinguish infrastructure incidents from Flask SSL and DNS configuration failures
Merlonix monitors AWS, Google Cloud, Heroku, Render, Fly.io, Hetzner, DigitalOcean, and Cloudflare status pages alongside client SSL and DNS. When a Heroku regional incident causes Flask app failures across multiple client deployments simultaneously, you see the vendor event — not a cluster of individual SSL alerts that each require separate investigation to determine whether the root cause is a Heroku regional outage, a Cloudflare proxy interaction blocking Certbot renewal, or a Flask blueprint subdomain that never had a cert.
What the numbers mean for Flask agencies
Monitoring built for Flask agencies where one client SaaS means a marketing apex, a Flask-Login signed-in dashboard at app.*, a JSON API at api.*, and an admin panel at admin.* — each a separate SSL surface that needs its own Certbot --nginx invocation.
Flask agencies managing Gunicorn behind nginx with Certbot across multi-client VPS hosts, Heroku and Render managed certs across multi-app rosters, and Cloudflare proxy interactions that occasionally break ACME http-01 validation need monitoring that covers every blueprint subdomain — because a Certbot --nginx server_name collision after a copy-pasted site config is silent until the next 60-day renewal cycle and Flask-Login users start getting kicked to the login page without any exception in Flask logs.
< 10 min
Time from DNS change to alert — catches Flask client domain CNAME flips when agencies turn on Cloudflare's proxy and break Certbot --nginx ACME http-01 validation, plus DNS provider migrations between Cloudflare and Route53 before Heroku managed cert renewal cycles fail
30 days
SSL expiry warning lead time — enough time to identify a Certbot --nginx server_name collision after a copy-pasted nginx site config, a blueprint subdomain that never received its own Certbot cert, or a Cloudflare proxy interaction blocking ACME validation, and correct it before Flask-Login Secure cookies start failing silently
11 vendors
Upstream services monitored — AWS, Google Cloud, Heroku, Render, Fly.io, Hetzner, DigitalOcean, and Cloudflare included to distinguish provider outages from Flask application SSL and DNS failures requiring Certbot or nginx configuration changes
200 assets
Maximum monitored domains on the Agency plan — covers Flask apex, www.*, api.*, admin.*, dash.*, and blueprint subdomain hosts across a full Flask client portfolio
Pricing
Flat monthly fee. Every Flask blueprint subdomain and admin host included.
No per-subdomain charges. No per-blueprint fees. Pick the tier that fits your Flask client and subdomain count and monitor every apex, api.*, admin.*, and dash.* host without billing surprises.
Starter
For individual Flask developers managing a small client portfolio on Gunicorn behind nginx or on Heroku.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For Flask agencies managing multi-blueprint deployments with separate api.*, admin.*, and dash.* subdomains.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full Flask client roster including subdomain blueprint hosts and per-tenant admin subdomains.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when a Flask blueprint subdomain or Certbot --nginx renewal is about to fail.
Add your first Flask client domain in under two minutes. Apex, www.*, api.*, admin.*, dash.*, and blueprint subdomain hosts are monitored from the same dashboard. 14-day trial, no card required.