Built for Vercel agencies — 14-day free trial

Vercel's automatic Let's Encrypt cert silently fails when Cloudflare's proxy is on the CNAME.
The site keeps loading because Cloudflare serves its own edge cert — and Vercel-side analytics and edge functions go dark.

Vercel agencies deploying Next.js, SvelteKit, Astro, Nuxt, and Remix client projects deal with Cloudflare proxy (orange-cloud) turning on for a Vercel CNAME and silently breaking automatic Let's Encrypt provisioning, the same custom domain attached to two Vercel projects without removing the old attachment, and preview deploys at custom subdomains breaking when the agency spins up a new project for a refresh. Merlonix monitors SSL and DNS so production edge-function calls don't go dark while the public site still appears to load.

Start free for 14 days How it works

No credit card for the trial. Cancel any time.

Check cadence (Agency): 5 min
SSL pre-expiry alert: 30 days
Independent DNS resolvers: 3
Vendors watched: 11

Where Vercel agencies get caught out

Three failure modes specific to Vercel deployments with Cloudflare proxy interactions, multi-project domain attachments, and per-project preview deploy wildcards.

Vercel agencies deploying Next.js, SvelteKit, Astro, Nuxt, and Remix client projects deal with Cloudflare proxy turning on for a Vercel CNAME and silently breaking ACME http-01 validation while the site keeps loading from Cloudflare's edge cert, the same custom domain attached to two Vercel projects without removing the old one (production keeps serving from the old project for weeks), and preview deploy wildcards reassigning to whichever project most-recently claimed a subdomain — breaking preview links from older projects without a single Vercel-dashboard error.

Vercel's automatic Let's Encrypt provisioning depends on Vercel being able to see the unencrypted ACME http-01 validation request — when an agency turns on Cloudflare's proxy (orange-cloud) on the CNAME pointing at cname.vercel-dns.com, Cloudflare terminates TLS at the edge and re-encrypts to Vercel, and the cert provisioning silently fails. The site keeps loading because Cloudflare serves its own universal edge cert, but Vercel's edge functions, geolocation headers, and Speed Insights stop receiving real client signals

A Vercel agency deploys a Next.js client product to Vercel with a custom domain client.com pointing at cname.vercel-dns.com. The client adds Cloudflare in front for DDoS protection and turns on the proxy (orange-cloud) on the CNAME. The site continues loading because Cloudflare's universal cert covers client.com. Three weeks later, the agency notices Vercel Analytics shows zero traffic from the production domain and Speed Insights data has gone flat

A Vercel agency deploys a Next.js client product to Vercel with a custom domain client.com pointing at cname.vercel-dns.com. The deploy works. SSL provisions. Six months pass. The client gets a DDoS attack and turns on Cloudflare in front for protection — they switch the CNAME from grey-cloud (DNS-only) to orange-cloud (proxied). The site continues loading because Cloudflare's universal SSL covers client.com. Vercel's automatic Let's Encrypt renewal cycle attempts ACME http-01 validation 30 days before the existing cert expires; Cloudflare's proxy returns a synthetic response to the validation challenge and Vercel's ACME challenge fails. Vercel's dashboard shows the cert as "Failed to renew" but the agency doesn't check. Vercel's edge functions begin serving stale geolocation headers because they can't resolve the X-Forwarded-For chain through Cloudflare's SSL termination. Speed Insights silently drops to zero. The agency only realizes when their monthly client report shows blank Web Vitals data and the engineer logs into Vercel and sees a red banner about the failed cert renewal.

Vercel allows multiple projects to declare the same custom domain — but only one project can hold the active cert and route production traffic. When an agency rebuilds a client site as a new Vercel project and configures the same custom domain without removing the attachment from the old project, the cert remains tied to the old project, the new project shows "Domain configuration is invalid" but deploys successfully, and the production CNAME continues serving from the old project

A Vercel agency rebuilds a client marketing site from Next.js Pages Router to App Router by creating a new Vercel project rather than upgrading in place. The new project is configured with the same custom domain client.com. The agency deploys the new project, sees a green production deploy in the new project's dashboard, but does not remove client.com from the old project's domain settings. Production traffic continues hitting the old project for the next 30 days because the cert is still tied there

A Vercel agency rebuilds a client's Next.js marketing site as a new project (cleaner Git history, fresh App Router upgrade, new GitHub repo). The new project is configured with the same custom domain client.com via the Vercel dashboard. The dashboard shows a yellow "Invalid configuration" warning that the engineer dismisses, assuming it's about DNS propagation. The new project deploys cleanly to <new-project>.vercel.app and renders correctly there. Production traffic at client.com continues hitting the OLD project for the next 30 days because Vercel keeps the cert and routing tied to whichever project first claimed the domain. The agency posts the "go-live" message to Slack and the client believes the new site is live. Two weeks later the client asks why a feature shipped to the new project isn't live; the engineer realizes production is still serving from the old project. Removing the domain from the old project breaks the cert assignment and triggers a 5-minute SSL outage during the transition.

Vercel preview deploys at custom subdomains (preview.client.com → <branch>-<project>.vercel.app) require a wildcard cert covering *.client.com or per-branch CNAME aliases — when the agency creates a new Vercel project for a related client surface, the wildcard cert assignment shifts to whichever project most-recently claimed the wildcard, and preview links from the original project break

A Vercel agency runs two Vercel projects for the same client — the marketing site at client.com and the customer dashboard at app.client.com. Both projects share a wildcard SSL cert for *.client.com. The agency creates a third project for a campaign microsite and configures campaign.client.com. Vercel reassigns the wildcard cert to the new project. Preview deploys at preview.app.client.com from the dashboard project start returning cert errors

A Vercel agency operates two Vercel projects for the same client — the public marketing at client.com and the customer dashboard at app.client.com. The dashboard project uses preview deploys at preview.app.client.com that map each branch deploy to a Vercel preview URL. Vercel issued a wildcard cert for *.client.com when the dashboard project first claimed the apex. Six months later the agency creates a third Vercel project for a campaign microsite and configures campaign.client.com. Vercel's cert assignment logic re-issues the wildcard to whichever project most-recently claimed a *.client.com domain. The preview deploys from the dashboard project, which were relying on the same wildcard, start returning ERR_CERT_COMMON_NAME_INVALID for everyone reviewing pre-merge changes. The agency engineer doesn't connect the campaign-project creation to the preview-deploy outage for several days; the only signal is design reviewers complaining that preview links are broken in the QA Slack channel.

How it works

SSL and DNS monitoring for Vercel agencies across automatic Let's Encrypt provisioning, Cloudflare proxy interactions, and multi-project domain attachments with per-project preview deploy wildcards.

Merlonix monitors SSL expiry and CNAME integrity across every Vercel-attached subdomain — production apex, www.*, app.*, dashboard.*, preview deploy hosts, and campaign microsites — and catches renewal failures caused by Cloudflare proxy turning on a CNAME pointing at cname.vercel-dns.com, multi-project domain attachments where production is still served from the old project, or wildcard cert reassignments breaking preview deploys from a different project — before Vercel-side analytics, edge functions, and Speed Insights silently go dark.

Add Vercel project domains — apex, www., app., dashboard., preview., campaign.*, plus per-branch preview subdomains — with DNS TXT record verification

Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — app.*, dashboard.*, preview.*, campaign.*, plus any branch-specific preview subdomains pointing at <branch>-<project>.vercel.app — are added without additional verification. Monitoring every Vercel-attached subdomain from a single apex registration ensures that preview deploy hosts and campaign microsites added across multiple Vercel projects are covered alongside the production apex. Under two minutes per client.

CNAME and A record monitoring across cname.vercel-dns.com aliases, Cloudflare proxy interactions, and per-project Vercel domain attachments

Three independent DNS resolvers check every CNAME delegation on every monitoring interval. When a client switches a Vercel CNAME from grey-cloud (DNS-only) to orange-cloud (Cloudflare-proxied), the change shows up in the audit log immediately — alongside the cert renewal failure that follows 30 days later when ACME http-01 validation can't complete through Cloudflare's edge. When a custom domain is attached to a new Vercel project without removing it from the old project, the change is logged so the agency can verify which project is actually serving production traffic.

SSL monitoring 30 days before expiry across Vercel managed Let's Encrypt certs, Cloudflare universal certs (when proxy is on), and Vercel wildcard certs covering preview deploy subdomains

Full SSL chain validation on every Vercel-attached subdomain — production apex, www.*, app.*, dashboard.*, plus preview deploy hosts and campaign microsites. An expiry alert fires 30 days before the cert expires — enough lead time to identify whether the failure is a Cloudflare proxy interaction blocking Vercel's ACME http-01 validation, a multi-project domain attachment where the cert is held by an older Vercel project, or a wildcard cert reassignment that broke preview deploy links from a different project. Catches Vercel renewal failures while the public site still appears to load from Cloudflare's edge cert and Vercel-side analytics and edge functions are silently going dark.

Vendor status for Vercel, Cloudflare, AWS Route53, and other DNS providers to distinguish infrastructure incidents from Vercel-specific SSL and project-attachment configuration failures

Merlonix monitors Vercel, Cloudflare, AWS, Google Cloud, and Fly.io status pages alongside client SSL and DNS. When a Vercel regional incident causes deploy failures across multiple client projects simultaneously, you see the vendor event — not a cluster of individual SSL alerts that each require separate investigation to determine whether the root cause is a Vercel regional outage, a Cloudflare proxy interaction blocking ACME validation, or a multi-project domain attachment that the agency created during a recent rebuild and forgot to clean up.

What the numbers mean for Vercel agencies

Monitoring built for Vercel agencies where one client product means a marketing apex, a customer dashboard at app., a campaign microsite at campaign., and per-branch preview deploys at preview.* — each pointing at a different Vercel project and each a separate cert assignment.

Vercel agencies managing automatic Let's Encrypt provisioning across multi-project client rosters, Cloudflare proxy interactions that occasionally break ACME validation, and per-project preview deploy wildcards that reassign on new project creation need monitoring that covers every Vercel-attached subdomain — because a Cloudflare-proxy CNAME flip is silent until the next 30-day Vercel renewal cycle and the production site keeps loading from Cloudflare's edge cert while Vercel-side analytics and edge functions silently go dark.

< 10 min

Time from DNS change to alert — catches the Cloudflare proxy flip from grey-cloud to orange-cloud on a Vercel CNAME, multi-project Vercel domain reassignment during agency rebuilds, and the silent CNAME flip from cname.vercel-dns.com to alias.vercel.app that breaks ACME http-01 validation

30 days

SSL expiry warning lead time — enough time to identify a Cloudflare proxy interaction blocking Vercel's ACME http-01 validation, a multi-project domain attachment where production is still served from the old project, or a wildcard cert reassignment breaking preview deploys, and correct it before Vercel-side analytics, edge functions, and Speed Insights silently go dark

11 vendors

Upstream services monitored — Vercel, Cloudflare, AWS, Google Cloud, and Fly.io included to distinguish provider outages from Vercel-specific SSL failures requiring CNAME or multi-project domain configuration changes

200 assets

Maximum monitored domains on the Agency plan — covers Vercel production apex, www.*, app.*, dashboard.*, preview deploy hosts, and campaign microsites across a full Vercel client portfolio

Pricing

Flat monthly fee. Every Vercel project subdomain and preview deploy host included.

No per-subdomain charges. No per-Vercel-project fees. Pick the tier that fits your Vercel client and project count and monitor every production apex, app.*, dashboard.*, campaign.*, and preview deploy host without billing surprises.

See full feature comparison →

Starter

For individual Vercel developers managing a small client portfolio with single-project Vercel deployments.

$29/ month

10 monitored assets
1 seat
15-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Starter

Most chosen

Team

For Vercel agencies managing multi-project client deployments with separate apex, dashboard, and campaign subdomains.

$79/ month

50 monitored assets
5 seats
10-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Team

Agency

For agencies with a full Vercel client roster including per-project preview deploys and wildcard cert assignments across multiple Vercel projects per client.

$199/ month

200 monitored assets
15 seats
5-min check cadence
SSL + DNS + vendor monitoring
Email + Slack alerts

Start with Agency

Know when a Vercel cert is about to fail because Cloudflare's proxy is on the CNAME.

Add your first Vercel client domain in under two minutes. Production apex, app.*, dashboard.*, campaign.*, and preview deploy hosts across every Vercel project for that client are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 days Read the agency SSL checklist →

Vercel's automatic Let's Encrypt cert silently fails when Cloudflare's proxy is on the CNAME.The site keeps loading because Cloudflare serves its own edge cert — and Vercel-side analytics and edge functions go dark.