GitHub Pages “Enforce HTTPS” looks enabled.
The certificate was never provisioned after the client's DNS change — and GitHub doesn't alert you.
Jekyll agencies deploying to GitHub Pages, Netlify, and Vercel face SSL failures that don't surface in the deployment dashboard. GitHub Pages requires 4 A records for apex domains — any missing record after a client registrar change causes silent SSL failure. Netlify and Vercel auto-renew SSL only if the CNAME delegation stays intact. Merlonix monitors DNS integrity and SSL expiry across every Jekyll client deployment.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Independent DNS resolvers
- 3
- Vendors watched
- 11
Where Jekyll agencies get caught out
Three failure modes specific to Jekyll client deployments on GitHub Pages, Netlify, and Vercel.
Jekyll agencies deploying to GitHub Pages deal with silent SSL provisioning failures after DNS changes, the 4 A-record requirement for apex domains that fails partially without alerting anyone, and Netlify or Vercel SSL renewal failures when CNAME records drift during client registrar migrations.
GitHub Pages "Enforce HTTPS" appears active in repository settings while the Let's Encrypt certificate was never provisioned after a client DNS change — visitors see an insecure connection warning while the agency sees a green dashboard
GitHub Pages provisions a Let's Encrypt certificate only when DNS is fully propagated to GitHub's servers at the time provisioning is attempted. When a client changes their DNS registrar and the agency enables the custom domain before the new DNS zone has propagated, provisioning fails — but the checkbox in repository settings appears checked regardless of whether the certificate was successfully issued
A client migrating from an old registrar to Cloudflare Registrar expects the transfer to be transparent. The agency configures the custom domain in the Jekyll repository settings and enables "Enforce HTTPS." GitHub Pages checks DNS at that moment and does not find the expected records resolving correctly — provisioning fails. The repository settings show the custom domain and the HTTPS enforcement checkbox as active. Visitors to the site receive a browser warning that the connection is not secure. The agency does not receive any notification from GitHub that provisioning failed. The failure is discovered when the client reports the security warning, often days after the DNS migration.
GitHub Pages apex domain configuration requires 4 specific A records pointing to GitHub's IP range — any missing or incorrect record after a client DNS change causes GitHub Pages to stop serving SSL and prevents Let's Encrypt renewal
GitHub Pages requires that apex domains have all four A records pointing to GitHub's IP range: 185.199.108.153 through 185.199.111.153. GitHub Pages verifies all four records when provisioning and renewing Let's Encrypt certificates. A client who updates their DNS registrar and rebuilds the DNS zone with only one or two of the required A records leaves the apex domain without valid SSL
When a client asks their IT team to "move the DNS" to a new registrar or DNS manager, the team commonly transfers the www CNAME correctly but manually rebuilds the apex A records from memory — and gets 1 or 2 of the 4 required GitHub Pages A records. GitHub Pages validates all four IP addresses when running Let's Encrypt certificate renewal. If one of the four is missing from the DNS zone, the renewal attempt fails. The existing certificate continues serving until it expires — 90 days from the last successful renewal. The gap between the DNS change and the certificate expiry means the agency may not notice the misconfiguration until the certificate expires and GitHub Pages stops serving HTTPS.
Jekyll sites on Netlify or Vercel use automatic Let's Encrypt SSL that renews only when the domain's CNAME record still resolves to the deployment edge — CNAME drift from client DNS changes stops renewal silently
Jekyll agencies deploying to Netlify or Vercel for build pipeline performance or form handling have SSL provisioned automatically through the deployment platform. Both Netlify and Vercel handle Let's Encrypt renewal automatically — but only while the domain's DNS CNAME record still resolves to their edge network. When client DNS drifts away from the Netlify or Vercel CNAME target, the next renewal attempt fails without alerting the agency
A Jekyll site deployed to Netlify for form submissions and build preview URLs has a CNAME record pointing www.clientsite.com to the Netlify subdomain. A year after the initial deployment, the client moves their domain to a new registrar during a brand refresh. The DNS zone is rebuilt, but the CNAME record for www is pointed at the old hosting provider rather than Netlify, or the CNAME is omitted entirely. Netlify's automatic renewal runs 30 days before the certificate expires, checks that www.clientsite.com still resolves to Netlify infrastructure, and fails the renewal when the CNAME no longer points correctly. Netlify does not notify the team on failed renewal. The certificate expires 30 days later.
How it works
SSL and DNS monitoring for Jekyll agencies across GitHub Pages, Netlify, and Vercel deployments.
Merlonix monitors A record integrity for GitHub Pages 4-record apex requirements, CNAME delegations for Netlify and Vercel deployments, and SSL expiry across every Jekyll client domain — and catches SSL provisioning failures before GitHub, Netlify, or Vercel returns a certificate error to site visitors.
01
Add Jekyll site custom domains and deployment endpoints across GitHub Pages, Netlify, and Vercel
Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — www, blog subdomains, and API endpoints for Jekyll sites with headless backends — are added without additional verification. Monitoring both the apex and www separately is critical for Jekyll sites on GitHub Pages, where apex A record requirements and www CNAME requirements are validated independently. Under two minutes per client.
02
A record and CNAME integrity monitoring for GitHub Pages 4-record apex requirements and Netlify/Vercel CNAME delegations
Three independent DNS resolvers check every A record and CNAME delegation on every monitoring interval. When a client changes DNS registrar and one of the four required GitHub Pages A records is missing from the new DNS zone, the missing record is detected immediately — before the Let's Encrypt renewal fails. When a client's CNAME for www drifts away from the Netlify or Vercel edge target, the mismatch surfaces at the next monitoring interval rather than when the next renewal attempt fails.
03
SSL monitoring 30 days before expiry on all Jekyll custom domains including GitHub Pages and CDN-deployed sites
Full SSL chain validation on every Jekyll client domain — GitHub Pages, Netlify, and Vercel deployments included. An expiry alert fires 30 days before the certificate expires — enough lead time to correct a missing A record on the GitHub Pages configuration, fix a CNAME that has drifted away from Netlify, or re-enable HTTPS enforcement in the GitHub repository settings. Monitoring against the Let's Encrypt 90-day expiry is the safety net that catches DNS drift before it becomes a customer-visible SSL error.
04
Vendor status for GitHub Pages, Netlify, and Vercel to distinguish platform incidents from client DNS failures
Merlonix monitors GitHub Pages, Netlify, and Vercel status alongside client SSL and DNS. When a GitHub Pages infrastructure incident causes SSL provisioning failures across multiple client repository deployments simultaneously, you see the vendor event — not a series of individual client alerts that each require separate investigation to determine whether the root cause is a GitHub platform issue or a client-specific DNS misconfiguration.
What the numbers mean for Jekyll agencies
Monitoring built for Jekyll agencies where GitHub Pages SSL provisioning fails silently and the deployment dashboard shows everything as healthy.
Jekyll agencies on GitHub Pages need DNS monitoring that covers every A record in the apex domain configuration — because GitHub Pages validates all four records during SSL renewal, and one missing record after a client registrar migration breaks HTTPS without any alert from GitHub or the repository settings UI.
< 10 min
Time from DNS change to alert — catches missing GitHub Pages A records and Netlify/Vercel CNAME drift caused by client registrar migrations before the Let's Encrypt certificate expires and site visitors see an insecure connection warning
30 days
SSL expiry warning lead time — enough time to identify and correct a missing GitHub Pages A record, fix a drifted Netlify CNAME, or re-provision Vercel SSL before the browser begins blocking the client's Jekyll site
11 vendors
Upstream services monitored — GitHub Pages, Netlify, and Vercel included to distinguish platform incidents from individual client DNS changes affecting Jekyll site SSL renewal
200 assets
Maximum monitored domains on the Agency plan — covers primary custom domains, www and apex separately, blog subdomains, and API endpoints across a full Jekyll client portfolio
Pricing
Flat monthly fee. Every Jekyll client domain and deployment endpoint included.
No per-domain charges. No per-deployment fees. Pick the tier that fits your Jekyll client count and monitor every custom domain across GitHub Pages, Netlify, and Vercel without billing surprises.
Starter
For individual Jekyll developers managing a small client portfolio on GitHub Pages or Netlify.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For Jekyll agencies managing multiple client deployments across GitHub Pages, Netlify, and Vercel.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full Jekyll client roster across multiple static deployment platforms.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when a Jekyll client domain SSL is silently failing on GitHub Pages.
Add your first Jekyll client domain in under two minutes. GitHub Pages, Netlify, and Vercel deployments are monitored from the same dashboard. 14-day trial, no card required.