GitHub Pages checks the Enforce HTTPS box automatically.
It stays checked even when Let's Encrypt provisioning failed.
GitHub Pages provisions Let's Encrypt SSL for custom domains automatically. Apex domains require four specific A records. Subdomains require a CNAME to the repository's GitHub Pages host. When a client DNS migration removes even one of the four required A records, provisioning fails — but the repository settings show no error. The certificate expires quietly while the Enforce HTTPS checkbox stays green. Merlonix monitors SSL and DNS so you know 30 days before that expiry reaches visitors.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- A records required per apex
- 4
- Vendors watched
- 11
Where GitHub Pages agencies get caught out
Three failure modes specific to GitHub Pages custom domain SSL provisioning.
GitHub Pages agencies managing custom-domain client sites deal with silent provisioning failures that leave the settings UI showing success, four A-record requirements that disappear partially after registrar migrations, and Cloudflare proxy settings that break Let's Encrypt validation for the life of the certificate's renewal cycle.
The Enforce HTTPS checkbox stays checked even when SSL provisioning failed
GitHub Pages repository settings do not show a persistent error when Let's Encrypt provisioning fails — the informational message clears, the checkbox stays checked, and there is no indication the certificate was never issued
When a custom domain is added to GitHub Pages and Enforce HTTPS is enabled, GitHub initiates Let's Encrypt SSL provisioning using HTTP-01 challenge validation. The provisioning process requires HTTP requests to the custom domain to reach GitHub's servers — which means the DNS must be correctly configured at the time of provisioning. If DNS propagation is incomplete, or if a client's registrar migration is still in progress, the HTTP-01 challenge fails and provisioning is abandoned. The repository settings display an informational message during provisioning, but once the attempt finishes — whether it succeeded or failed — the message clears. The Enforce HTTPS checkbox remains checked. An agency that added the custom domain, saw the provisioning message, checked back and saw a checked box, and assumed success is now serving the site over HTTP or with no valid certificate without any indication in the GitHub interface that provisioning ever failed.
Four A records required for apex domains — partial restoration after registrar migrations breaks renewal
GitHub Pages apex domains require four specific A records pointing at GitHub's IP range — 185.199.108.153 through 185.199.111.153 — and all four must be present for Let's Encrypt provisioning and renewal to succeed
GitHub validates all four A records during the HTTP-01 challenge. A client registrar migration that rebuilds the DNS zone from memory — or from a zone export that omitted some records — frequently restores only one or two of the four required GitHub Pages IP addresses. The site continues to load, because any one of the four IPs will route traffic to GitHub's network, and the certificate already issued remains valid until expiry. But at the next 90-day renewal attempt, GitHub validates all four A records again. With only two of the four present, the HTTP-01 challenge fails and the certificate is not renewed. The agency sees no immediate failure — delivery continues for up to 30 days until the certificate expires and browsers begin blocking the site. By that point, the DNS migration that caused the problem happened weeks or months ago and is no longer the obvious place to look.
Cloudflare proxy enabled on a GitHub Pages domain breaks Let's Encrypt validation entirely
When a client's DNS for a GitHub Pages domain uses Cloudflare with the proxy enabled, HTTP-01 challenge requests reach Cloudflare's edge rather than GitHub's servers — provisioning and renewal both fail
GitHub Pages requires DNS-only mode (gray cloud) in Cloudflare for custom domains. When the orange cloud proxy is enabled, DNS resolution for the domain returns Cloudflare's anycast IPs instead of the four GitHub Pages IPs. GitHub's HTTP-01 validation request reaches the Cloudflare edge, which does not forward the Let's Encrypt challenge token to GitHub's backend. Provisioning fails. If a client or their IT team enables the Cloudflare proxy after the certificate was already issued — for performance reasons or CDN benefits — the existing certificate continues serving until it reaches its 90-day expiry. When the renewal attempt fails because the proxy is still enabled, the certificate expires and every visitor to the GitHub Pages site receives a browser SSL warning. Agencies that manage client Cloudflare accounts and GitHub Pages simultaneously have no way to detect the proxy status change from GitHub's repository settings — it is invisible until the renewal fails.
How it works
SSL and DNS monitoring for GitHub Pages custom domains — four A records, CNAME delegation, and Let's Encrypt expiry.
Merlonix monitors the full DNS layer required for GitHub Pages SSL provisioning — all four A records for apex domains, CNAME integrity for www subdomains, SSL expiry with 30-day lead time, and GitHub vendor status to separate platform incidents from client DNS problems.
01
Add the apex domain and www subdomain as separate assets with independent checks
Verify ownership with a DNS TXT record on the apex domain. The apex domain and the www subdomain are added as separate assets — because their DNS requirements are independent. The apex domain requires four A records; the www subdomain requires a CNAME to the repository's GitHub Pages host. A client DNS change can affect the apex without touching www, or vice versa. Monitoring them separately catches partial configurations that a combined check would miss. Under two minutes per GitHub Pages client domain.
02
DNS integrity checks on all four GitHub Pages A records and the CNAME delegation
Three independent DNS resolvers check every A record and CNAME delegation on every monitoring interval. For apex domains, all four GitHub Pages IP addresses — 185.199.108.153, 185.199.109.153, 185.199.110.153, 185.199.111.153 — are validated on each check. A registrar migration that removes even one of the four records generates an alert immediately, at the point of the DNS change, not 30 days later when the renewal attempt fails. CNAME integrity checks on the www delegation detect Cloudflare proxy enablement — when the proxy is on, Cloudflare's IPs are returned for the domain instead of GitHub's, and the delegation target mismatch fires an alert.
03
SSL monitoring 30 days before Let's Encrypt expiry
Full SSL chain validation on every GitHub Pages custom domain. An expiry alert fires 30 days before the certificate expires — inside the window where DNS corrections can be made and a manual renewal attempted before the certificate expires and browsers block the site. The 30-day lead time is intentional: Let's Encrypt certificates have a 90-day validity period and GitHub renews at approximately 60 days. If renewal fails, the 30-day alert gives time to diagnose the DNS problem before the 90-day period ends.
04
GitHub vendor status alongside client SSL and DNS checks
Merlonix monitors GitHub platform status alongside client SSL and DNS monitoring. When a GitHub Pages infrastructure incident causes provisioning failures across multiple repositories simultaneously, you see the vendor event — not a cascade of individual client alerts that each require separate investigation into whether the issue is the client's DNS or GitHub's infrastructure. GitHub Pages incidents affect all clients at once; vendor status visibility separates those from client-specific DNS problems.
What the numbers mean for GitHub Pages agencies
Monitoring built for GitHub Pages agencies where SSL provisioning fails silently and the UI shows success.
GitHub Pages agencies managing client sites with custom domains need SSL and DNS monitoring that validates the four specific A records GitHub requires — because the repository settings do not show when provisioning failed, and the certificate expires quietly while the Enforce HTTPS checkbox stays checked.
< 10 min
Time from DNS change to alert — catches four A-record drift after registrar migrations and Cloudflare proxy enablement before the next renewal attempt fails
30 days
SSL expiry warning lead time — enough time to diagnose and correct a GitHub Pages DNS problem before Let's Encrypt expiry reaches visitors
11 vendors
Upstream services monitored — GitHub included to distinguish platform incidents from individual client DNS misconfigurations on Pages deployments
200 assets
Maximum monitored domains on the Agency plan — covers apex domains, www subdomains, and additional client subdomains across a full GitHub Pages portfolio
Pricing
Flat monthly fee. Every apex domain and www subdomain included.
No per-domain charges. No per-record fees. Pick the tier that fits your GitHub Pages client count and monitor every custom domain's four A records and CNAME without billing surprises.
Starter
For individual developers managing a small portfolio of GitHub Pages client sites with custom domains.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For agencies managing client sites, documentation, and marketing pages on GitHub Pages.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a large portfolio of GitHub Pages client deployments and custom domains.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when a GitHub Pages certificate is about to expire — before the Enforce HTTPS checkbox lies to you.
Add your first GitHub Pages custom domain in under two minutes. All four A records and the www CNAME are monitored from the same dashboard. DNS change alerts fire the same day a registrar migration removes a required record. 14-day trial, no card required.