Symfony deployments span api.*, admin.*, and app.* subdomains.
Each one has an independent Certbot certificate. Security hardening after launch silently breaks renewal.
Symfony agencies running Certbot on Nginx and Apache deal with renewal failures caused by port 80 being blocked after security hardening, multiple subdomains each carrying independent Let's Encrypt certificates on different renewal schedules, and VPS migrations that leave SSL coverage gaps when the new server isn't configured with all the original Certbot profiles. Merlonix monitors SSL and DNS so you catch renewal failures before clients hit the browser warning.
No credit card for the trial. Cancel any time.
- Check cadence (Agency)
- 5 min
- SSL pre-expiry alert
- 30 days
- Independent DNS resolvers
- 3
- Vendors watched
- 11
Where Symfony agencies get caught out
Three failure modes specific to Symfony deployments on VPS with Certbot and multi-subdomain configurations.
Symfony agencies running Certbot deal with post-launch security hardening that silently breaks port 80 and stops Let's Encrypt renewal, multiple subdomain certificates managed independently with different expiry dates, and VPS migrations that leave previously covered subdomains without Certbot renewal on the new server.
Certbot renewal on Nginx requires port 80 for the HTTP-01 challenge — security hardening applied after launch commonly blocks port 80, causing Certbot to fail renewal silently on the 90-day cycle while the certificate continues serving until expiry
Symfony agencies apply security hardening after a client application goes live: UFW rules are tightened, load balancer security groups are updated, or the ops team enforces HTTPS-only and blocks port 80 at the infrastructure layer. Certbot's HTTP-01 challenge depends on port 80 being accessible to Let's Encrypt's validation servers. When port 80 is closed after launch, Certbot logs a renewal failure and exits — without notifying the agency
A Symfony REST API deployed to a DigitalOcean Droplet with Nginx receives a post-launch security hardening pass: UFW is configured to allow only 443 and application-specific ports, and port 80 is blocked as part of a standard hardening checklist. Certbot's cron job runs 60 days later to renew the Let's Encrypt certificate. The HTTP-01 challenge fails because port 80 is not reachable from Let's Encrypt's validation infrastructure. Certbot logs the failure to `/var/log/letsencrypt/letsencrypt.log` and exits with a non-zero code. The cron job output is discarded. The existing certificate continues serving for 30 more days until expiry. The agency discovers the failure when the client's mobile app reports SSL handshake errors on the API subdomain — not when the security hardening was applied.
Symfony applications commonly deploy api.*, admin.*, and app.* subdomains — each with an independent Certbot certificate — and a subdomain added during a feature sprint may never have Certbot configured at all
A Symfony application with an API layer, an admin panel, and a consumer frontend deploys on three subdomains managed by three independent Certbot certificates. Subdomains added during subsequent feature sprints — webhooks.clientapp.com for a third-party integration, media.clientapp.com for CDN origin — are configured in Nginx but not always added to the Certbot certificate list
An agency deploying a Symfony application adds api.clientapp.com during the initial launch, admin.clientapp.com six weeks later during the admin panel sprint, and webhooks.clientapp.com three months later during a Stripe webhook integration sprint. Each subdomain gets an Nginx vhost block, but the engineer adding webhooks.clientapp.com does not run `certbot certonly` for the new subdomain. The Nginx configuration serves the subdomain over HTTP only, or with a self-signed certificate. The Stripe webhook integration works during development because Stripe follows redirects during testing. In production, Stripe's webhook delivery endpoint requires valid SSL. The first production webhook delivery failure appears in the Stripe dashboard as an SSL error — not as a configuration reminder to the agency.
When a Symfony application migrates from one VPS to another, the old server continues serving on its certificate until TTL expires — but the new server may not have Certbot configured for all subdomains, leaving gaps in SSL coverage that appear only at expiry
VPS migrations for Symfony applications require Certbot to be re-configured on the new server for every subdomain covered on the old server. The migration checklist commonly transfers Nginx vhost configuration, database credentials, and application code — but Certbot certificate profiles and the list of covered domains are frequently missed or partially copied
A Symfony application migrates from an aging Hetzner server to a DigitalOcean Droplet during a server upgrade. The ops team exports and imports Nginx configuration, copies application code, restores the database, and tests that the application loads on the new server before updating DNS. The Certbot setup on the old server covered five subdomains. The ops team runs `certbot certonly` for the primary application domain on the new server during the migration, then moves on. Three of the five subdomains from the old server's Certbot profile are not re-configured on the new server. DNS is updated to point at the new server. Those three subdomains now carry Let's Encrypt certificates issued to the old server configuration — and Certbot on the now-decommissioned old server no longer runs renewals. The three subdomains' certificates expire 90 days later.
How it works
SSL and DNS monitoring for Symfony agencies across Certbot-managed VPS deployments, multi-subdomain applications, and server migrations.
Merlonix monitors SSL expiry and DNS A record integrity across every Symfony application subdomain — api.*, admin.*, and app.* — and catches Certbot renewal failures caused by security hardening, VPS migrations, or unconfigured subdomains before the 90-day certificate expires and the client's application returns SSL errors.
01
Add Symfony application domains — apex, API, admin, and app subdomains — with DNS verification via TXT record
Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — api.*, admin.*, app.*, webhooks.*, and media.* — are added without additional verification. Monitoring every Symfony subdomain from a single apex registration ensures that subdomains added during feature sprints are covered alongside the primary application domain. Under two minutes per client.
02
DNS A record integrity checks for Symfony applications across VPS provider IP ranges
Three independent DNS resolvers check every A record on every monitoring interval. When a Symfony application migrates from one VPS to another and the DNS A records are updated, the new IP is validated across all monitored subdomains. When a subdomain was missed during a VPS migration and DNS still points to the old server's IP, the mismatch between the monitored subdomain and the expected server surfaces at the next monitoring interval. DNS change monitoring provides the audit trail that confirms a migration completed correctly across all subdomains.
03
SSL monitoring 30 days before expiry across all Certbot-managed subdomains — catches silent renewal failures before the 90-day certificate runs out
Full SSL chain validation on every Symfony application subdomain — api.*, admin.*, app.*, and any other Nginx-hosted endpoint. An expiry alert fires 30 days before the certificate expires — enough lead time to identify whether the failure is a port 80 block from security hardening, a Certbot profile gap from a VPS migration, or a subdomain that was never configured in Certbot at all, and correct the configuration before the client's application returns SSL handshake errors.
04
Vendor status for common Symfony hosting providers to distinguish infrastructure incidents from configuration failures
Merlonix monitors AWS, DigitalOcean, Hetzner, and common VPS provider status pages alongside client SSL and DNS. When a DigitalOcean regional incident causes DNS resolution failures across multiple Symfony client deployments simultaneously, you see the vendor event — not a cluster of individual SSL and DNS alerts that each require separate investigation to determine whether the root cause is an infrastructure outage or a Certbot renewal failure requiring configuration changes.
What the numbers mean for Symfony agencies
Monitoring built for Symfony agencies where one client application means multiple subdomains, each with an independent Certbot certificate that can fail silently.
Symfony agencies managing Certbot across api.*, admin.*, and app.* subdomains need SSL monitoring that covers every configured subdomain — because a Certbot renewal failure on the API subdomain after security hardening is silent until the 90-day certificate expires and the mobile app returns SSL handshake errors.
< 10 min
Time from DNS change to alert — catches VPS migration IP changes and subdomain DNS drift caused by server rebuilds or registrar migrations before the Symfony application returns SSL errors to clients
30 days
SSL expiry warning lead time — enough time to identify a Certbot renewal failure caused by port 80 security hardening, a VPS migration gap, or an unconfigured subdomain, and correct the setup before the certificate expires
11 vendors
Upstream services monitored — AWS, DigitalOcean, and Hetzner included to distinguish infrastructure outages from Symfony application SSL and DNS failures requiring Certbot or DNS configuration changes
200 assets
Maximum monitored domains on the Agency plan — covers primary application domains, API subdomains, admin panels, webhook endpoints, and media origins across a full Symfony client portfolio
Pricing
Flat monthly fee. Every Symfony subdomain and API endpoint included.
No per-subdomain charges. No per-server fees. Pick the tier that fits your Symfony client count and monitor every application endpoint without billing surprises.
Starter
For individual Symfony developers managing a small client portfolio on VPS with Certbot.
$29/ month
- 10 monitored assets
- 1 seat
- 15-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Team
For Symfony agencies managing multi-subdomain deployments and VPS migrations.
$79/ month
- 50 monitored assets
- 5 seats
- 10-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Agency
For agencies with a full Symfony client roster across VPS providers and multi-region deployments.
$199/ month
- 200 monitored assets
- 15 seats
- 5-min check cadence
- SSL + DNS + vendor monitoring
- Email + Slack alerts
Know when a Symfony API subdomain or Certbot certificate is about to expire.
Add your first Symfony client domain in under two minutes. API subdomains, admin panels, and webhook endpoints are monitored from the same dashboard. 14-day trial, no card required.