Hugo deploys to Netlify, AWS, and GitHub Pages.
Each platform manages SSL certificates on its own schedule.
Hugo agencies deploy client sites to Netlify, AWS S3+CloudFront, Cloudflare Pages, and GitHub Pages. Each platform uses a different certificate authority and renewal mechanism — ACM on CloudFront, Let's Encrypt on Netlify, and GitHub's own CA on Pages. GitHub Pages CNAME records stay in client DNS after migrations. Multilingual Hugo builds multiply the SSL surface across per-language subdomains. Merlonix monitors SSL and DNS before clients see the error.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Independent DNS resolvers
- 3
- Vendors watched
- 11
Where Hugo agencies get caught out
Three failure modes specific to Hugo client deployments on Netlify, AWS CloudFront, and GitHub Pages.
Hugo agencies deploying across CDN platforms deal with ACM certificate silent renewal failures on CloudFront, GitHub Pages CNAME residue after migrations to Netlify, and per-language subdomain SSL that expires independently and is discovered last.
AWS CloudFront ACM certificates expire on a different schedule from Netlify Let's Encrypt
Hugo agencies deploying to AWS S3+CloudFront use ACM certificates that expire independently from Let's Encrypt — and ACM auto-renewal can fail silently when the distribution's alternate domain name CNAME is changed by the client
Hugo agencies using AWS for client sites provision SSL via AWS Certificate Manager (ACM) attached to a CloudFront distribution. ACM certificates renew automatically — but auto-renewal requires the domain's DNS to be validated using either a DNS CNAME record or email confirmation. When a client changes their DNS provider, removes the ACM validation CNAME, or the email contact on the domain registration becomes unreachable, ACM renewal fails silently. There is no AWS console notification pushed to the agency — the certificate continues to show as "Issued" until renewal fails. The CloudFront distribution begins serving an expired certificate, causing SSL errors across all client traffic, while the AWS console shows the distribution as active. Agencies running multiple Hugo clients on AWS CloudFront must monitor ACM certificate expiry independently for each distribution.
GitHub Pages CNAME records remain active in client DNS after migrating Hugo to Netlify
Migrating a Hugo site from GitHub Pages to Netlify changes the CNAME target but leaves the old GitHub Pages custom domain configuration active — along with the github.io CNAME in client DNS
Hugo agencies often begin client projects on GitHub Pages because of its direct integration with the Hugo deployment workflow via GitHub Actions. When clients grow beyond GitHub Pages limitations, agencies migrate builds to Netlify. The DNS CNAME is updated to point at the Netlify hostname, but the old GitHub Pages custom domain configuration remains in the repository settings. The old CNAME entry in the client's DNS zone continues to resolve — pointing at GitHub's infrastructure — until the agency explicitly removes both the GitHub Pages custom domain configuration and the DNS record. After the repository's Pages configuration is eventually removed or the repository is made private, the old CNAME becomes dangling. The residual record causes intermittent resolution failures that are difficult to diagnose without CNAME integrity monitoring showing the target mismatch.
Hugo multilingual builds create per-language subdomains with independent SSL on each
A Hugo multilingual site serving en.client.com, fr.client.com, and de.client.com requires separate custom domain configurations on the hosting platform — each with an independently provisioned and renewed SSL certificate
Hugo's multilingual content management creates static outputs that agencies deploy to per-language subdomains. Netlify and Cloudflare Pages provision SSL independently for each subdomain added as a custom domain. A successful SSL renewal on the root domain or the English subdomain does not trigger renewal on the French or German subdomains — each subdomain's certificate was provisioned at a different time and expires on a different date. Per-language subdomains for a client's secondary languages receive lower monitoring attention than the primary domain, which means expiry is typically discovered only when a language-specific visitor encounters an SSL error — taking longer to surface than a primary domain outage because the audience is smaller. For multilingual Hugo sites, monitoring only the primary domain leaves the remainder of the SSL surface unobserved.
How it works
SSL and DNS monitoring for Hugo builds on Netlify, AWS CloudFront, GitHub Pages, and Cloudflare Pages.
Merlonix monitors CNAME integrity and SSL health for every subdomain your Hugo clients use — language subdomains, CloudFront distributions, branch previews, and legacy GitHub Pages CNAMEs from prior migrations.
01
Add primary domain, language subdomains, CloudFront distributions, and legacy platform CNAMEs
Verify ownership with a DNS TXT record on the apex domain. Per-language subdomains, staging branch deployments, CloudFront distribution alternate domain names, and legacy GitHub Pages CNAMEs are added without additional verification. Monitoring legacy records catches GitHub Pages migration residue and ACM distribution changes before they cause intermittent failures. Under two minutes per client.
02
CNAME integrity checks on Netlify, CloudFront, GitHub Pages, and Cloudflare Pages hostnames
Three independent DNS resolvers check every CNAME delegation on every monitoring interval — whether the target is a Netlify hostname, a CloudFront distribution domain, a GitHub Pages github.io target, or a Cloudflare Pages workers.dev hostname. When a GitHub Pages migration leaves a conflicting old CNAME, the target mismatch is detected immediately. When a CloudFront distribution's alternate domain name changes and the CNAME loses its routing, the break is detected before clients report it.
03
SSL monitoring 30 days before expiry — ACM, Let's Encrypt, and GitHub CA certs
Full SSL chain validation on every domain and subdomain, regardless of which certificate authority issued the certificate. An expiry alert fires 30 days before the certificate expires — enough lead time to verify ACM renewal status or to provision a replacement for a failed renewal. CloudFront ACM certificates, Netlify Let's Encrypt certificates, and Cloudflare-issued certificates are each monitored on their independent schedules.
04
Vendor status for Netlify, Cloudflare, GitHub, and AWS
Merlonix monitors Netlify, Cloudflare, GitHub, and AWS infrastructure status alongside client SSL and DNS. When a Netlify CDN incident causes SSL failures across multiple Hugo client builds simultaneously, you see the vendor event — not a cascade of individual client alerts requiring separate investigation to distinguish from client-specific DNS changes.
What the numbers mean for Hugo agencies
Monitoring built for Hugo agencies where one client portfolio touches four hosting platforms with different SSL mechanisms.
Hugo agencies managing multilingual client sites and cross-platform deployments need SSL monitoring that covers ACM certificates on CloudFront, Let's Encrypt on Netlify, and every per-language subdomain — because each expires on a completely independent schedule.
< 10 min
Time from DNS change to alert — catches GitHub Pages CNAME residue, CloudFront alternate domain changes, and Netlify routing breaks before clients notice
30 days
SSL expiry warning lead time — enough time to verify ACM renewal, provision a replacement on CloudFront, or ensure Let's Encrypt renewal succeeds on Netlify before clients see SSL errors
11 vendors
Upstream services monitored — Netlify, Cloudflare, GitHub, and AWS included to distinguish platform incidents from client-specific DNS changes on Hugo deployments
200 assets
Maximum monitored domains on the Agency plan — covers primary domains, language subdomains, CloudFront distributions, staging environments, and legacy CNAMEs across a full Hugo client roster
Pricing
Flat monthly fee. Every language subdomain and CloudFront distribution included.
No per-domain charges. No per-platform fees. Pick the tier that fits your Hugo client count and monitor every subdomain and distribution without billing surprises.
Starter
For individual Hugo developers managing a small static site client portfolio.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For Hugo agencies managing multilingual builds and multi-platform client deployments.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full Hugo client roster across Netlify, AWS CloudFront, and GitHub Pages.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when a Hugo client's ACM certificate or language subdomain SSL is about to expire.
Add your first Hugo client domain in under two minutes. Language subdomains, CloudFront distributions, branch deploys, and legacy GitHub Pages CNAMEs are monitored from the same dashboard. 14-day trial, no card required.