Forge renews Let's Encrypt automatically.
Until a client changes their DNS and renewal breaks silently.
Laravel Forge provisions and renews Let's Encrypt certificates on client VPS deployments. That renewal process requires the domain to point at the Forge-managed server. When a client moves nameservers, transfers their domain, or makes a DNS change at their registrar, Forge's renewal fails — silently — until the certificate expires and the application goes offline. Merlonix monitors SSL and DNS so you know 30 days before expiry.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Independent DNS resolvers
- 3
- Vendors watched
- 11
Where Laravel agencies get caught out
Three failure modes specific to Laravel Forge and Vapor client deployments.
Laravel agencies managing Forge and Vapor deployments deal with silent Let's Encrypt renewal failures triggered by client DNS changes, Vapor environment ACM certificates that expire independently from the primary domain, and Horizon/Nova subdomains that multiply the SSL monitoring surface.
Forge Let's Encrypt renewal fails silently after client DNS changes
Laravel Forge renews Let's Encrypt certificates by making an HTTP validation request to the server — if the domain no longer points at the Forge server, renewal fails without any visible error until the certificate expires
Forge's Let's Encrypt integration uses HTTP-01 or DNS-01 domain validation to renew certificates automatically before expiry. HTTP-01 validation requires the domain to resolve to the Forge-managed server so the Let's Encrypt challenge request can be answered. When a client transfers their domain to a new registrar, consolidates nameservers, or makes a DNS change that redirects the root domain or subdomain away from the Forge server IP address, the next renewal attempt fails. Forge logs the failure, but most agencies are not checking Forge server logs daily. The certificate continues serving traffic — with a decreasing validity period — until it expires and the Laravel application returns an SSL error to every visitor. By the time the expiry is discovered, there may be less than a week of validity remaining and the agency is troubleshooting a live outage rather than a scheduled renewal.
Laravel Vapor API subdomains have independent ACM certificates from the primary domain
Vapor deploys Laravel applications to AWS Lambda with API Gateway custom domains — each environment's API subdomain gets its own ACM certificate, independent from the primary domain's SSL
Laravel Vapor provisions AWS ACM certificates for custom domains configured on each Vapor environment. An application deployed with production, staging, and queue environments will have three separately provisioned ACM certificates — one per environment API subdomain. Each ACM certificate requires DNS validation: a CNAME record pointing at an ACM validation endpoint must be present in the client's DNS zone. If the client's DNS provider or registrar changes and the validation CNAME records are not migrated, ACM cannot renew the certificates for any Vapor environment. Because ACM certificates are managed per AWS account, the agency cannot access the ACM console without the client's AWS credentials or a delegated IAM role — the SSL expiry risk is invisible until the Vapor API endpoint starts rejecting SSL connections from the client application.
Forge-managed application subdomains for Horizon, Nova, and APIs multiply the SSL surface
Laravel applications commonly run Horizon for queue monitoring, Nova for administration, and API subdomains for mobile clients — each on a separate Forge site with independent SSL provisioned and renewed separately
A single Laravel client application often runs under three to five DNS records: the primary domain, a Horizon queue monitoring subdomain, a Nova admin subdomain, an API subdomain for mobile or SPA consumers, and a staging subdomain. In a Forge deployment, each subdomain is a separate Forge site on the same server — and each Forge site has its own Let's Encrypt certificate, renewed independently. If a client DNS change breaks renewal for the primary domain, it typically also breaks renewal for every subdomain on the same server, since they share the same server IP and the same DNS dependency. Five certificates expire instead of one. Agencies without automated SSL monitoring across every subdomain discover the full scope of the failure when clients begin reporting errors across multiple application surfaces simultaneously.
How it works
SSL and DNS monitoring for Laravel Forge and Vapor deployments across every subdomain.
Merlonix monitors CNAME integrity and SSL health for Laravel applications on Forge, Vapor, and VPS servers — with 30-day expiry warnings before a Let's Encrypt or ACM renewal failure becomes a client outage.
01
Add every Forge site domain and Vapor environment subdomain
Verify ownership with a DNS TXT record on the apex domain. All Forge site subdomains — Horizon, Nova, API, staging — and every Vapor environment's API subdomain are added without additional verification. Monitoring every record means a client DNS change that would break all Forge site renewals simultaneously is caught before any certificate expires.
02
CNAME integrity checks on Forge server DNS and Vapor ACM validation records
Three independent DNS resolvers check every A record and CNAME delegation on every monitoring interval. When a client DNS change redirects a subdomain away from the Forge server IP, the DNS mismatch is detected immediately — before the next Let's Encrypt renewal attempt fails. For Vapor environments, CNAME integrity checks on the ACM validation records confirm they are still present after any DNS migration.
03
SSL monitoring 30 days before Let's Encrypt and ACM expiry
Full SSL chain validation on every Forge site domain and every Vapor environment subdomain. An expiry alert fires 30 days before the certificate expires — enough lead time to investigate whether a client DNS change has broken renewal and correct it before the application goes offline. Let's Encrypt certificates have a 90-day validity period; 30 days of warning is sufficient to renew manually if automated renewal is broken.
04
AWS and DigitalOcean vendor status alongside client SSL and DNS
Merlonix monitors AWS and DigitalOcean platform status alongside client SSL and DNS monitoring. When an AWS ACM service disruption prevents Vapor certificate renewal across multiple client environments, you see the vendor event — not individual client alerts requiring separate root-cause investigation to determine whether the issue is the client's DNS or the AWS platform.
What the numbers mean for Laravel agencies
Monitoring built for Laravel agencies where Let's Encrypt renewal depends on client-controlled DNS.
Laravel agencies managing Forge and Vapor deployments need SSL monitoring with enough lead time to act before expiry — because automated renewal breaks silently after client DNS changes, and the failure only surfaces when the certificate expires and clients call.
< 10 min
Time from DNS change to alert — catches client registrar changes that would break Forge Let's Encrypt renewal before the renewal attempt fails
30 days
SSL expiry warning lead time — enough time to correct a broken renewal before a Forge or Vapor certificate expires and takes down client applications
11 vendors
Upstream services monitored — AWS and DigitalOcean included to distinguish platform incidents from client DNS changes on Laravel deployments
200 assets
Maximum monitored domains on the Agency plan — covers Forge sites, Vapor environments, Horizon, Nova, API subdomains, and staging across a full client roster
Pricing
Flat monthly fee. Every Forge site and Vapor environment included.
No per-domain charges. No per-environment fees. Pick the tier that fits your Laravel client count and monitor every subdomain without billing surprises.
Starter
For individual Laravel developers managing a small client portfolio on Forge.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For Laravel agencies managing client deployments across Forge, Vapor, and VPS servers.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full Laravel client roster across Forge servers and Vapor environments.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when a Forge or Vapor certificate is about to expire — before renewal breaks and the client calls.
Add your first Laravel client domain in under two minutes. Forge sites, Vapor environments, Horizon, Nova, and API subdomains are monitored from the same dashboard. 14-day trial, no card required.