MERLONIX
Built for Vercel agencies — 14-day free trial

Cloudflare's proxy silently breaks Vercel's cert.
The site loads; analytics and edge go dark.

Vercel agencies deploying Next.js, SvelteKit, Astro, Nuxt, and Remix client projects deal with Cloudflare proxy (orange-cloud) turning on for a Vercel CNAME and silently breaking automatic Let's Encrypt provisioning, the same custom domain attached to two Vercel projects without removing the old attachment, and preview deploys at custom subdomains breaking when the agency spins up a new project for a refresh. Merlonix monitors SSL and DNS so production edge-function calls don't go dark while the public site still appears to load.

Start free for 14 daysHow it works

No credit card for the trial. Cancel any time.

Check cadence (Agency)
1 min
SSL pre-expiry alert
30 days
Independent DNS resolvers
3
Vendors watched
11

Where Vercel agencies get caught out

Three failure modes specific to Vercel deployments with Cloudflare proxy interactions, multi-project domain attachments, and per-project preview deploy wildcards.

Vercel agencies deploying Next.js, SvelteKit, Astro, Nuxt, and Remix client projects deal with Cloudflare proxy turning on for a Vercel CNAME and silently breaking ACME http-01 validation while the site keeps loading from Cloudflare's edge cert, the same custom domain attached to two Vercel projects without removing the old one (production keeps serving from the old project for weeks), and preview deploy wildcards reassigning to whichever project most-recently claimed a subdomain — breaking preview links from older projects without a single Vercel-dashboard error.

Cloudflare proxy blocks ACME http-01

Turning on Cloudflare's proxy on a Vercel CNAME blocks ACME http-01 renewal

A Vercel agency deploys a Next.js client product to Vercel with a custom domain client.com pointing at cname.vercel-dns.com. The deploy works. SSL provisions. Six months pass. The client gets a DDoS attack and turns on Cloudflare in front for protection — they switch the CNAME from grey-cloud (DNS-only) to orange-cloud (proxied). The site continues loading because Cloudflare's universal SSL covers client.com. Vercel's automatic Let's Encrypt renewal cycle attempts ACME http-01 validation 30 days before the existing cert expires; Cloudflare's proxy returns a synthetic response to the validation challenge and Vercel's ACME challenge fails. Vercel's dashboard shows the cert as "Failed to renew" but the agency doesn't check. Vercel's edge functions begin serving stale geolocation headers because they can't resolve the X-Forwarded-For chain through Cloudflare's SSL termination. Speed Insights silently drops to zero. The agency only realizes when their monthly client report shows blank Web Vitals data and the engineer logs into Vercel and sees a red banner about the failed cert renewal.

Domain still attached to the old project

Rebuilding a client site as a new Vercel project leaves production serving from the old project

A Vercel agency rebuilds a client's Next.js marketing site as a new project (cleaner Git history, fresh App Router upgrade, new GitHub repo). The new project is configured with the same custom domain client.com via the Vercel dashboard. The dashboard shows a yellow "Invalid configuration" warning that the engineer dismisses, assuming it's about DNS propagation. The new project deploys cleanly to <new-project>.vercel.app and renders correctly there. Production traffic at client.com continues hitting the OLD project for the next 30 days because Vercel keeps the cert and routing tied to whichever project first claimed the domain. The agency posts the "go-live" message to Slack and the client believes the new site is live. Two weeks later the client asks why a feature shipped to the new project isn't live; the engineer realizes production is still serving from the old project. Removing the domain from the old project breaks the cert assignment and triggers a 5-minute SSL outage during the transition.

New project steals the wildcard cert

Creating a new Vercel project for the same client reassigns the shared wildcard cert

A Vercel agency operates two Vercel projects for the same client — the public marketing at client.com and the customer dashboard at app.client.com. The dashboard project uses preview deploys at preview.app.client.com that map each branch deploy to a Vercel preview URL. Vercel issued a wildcard cert for *.client.com when the dashboard project first claimed the apex. Six months later the agency creates a third Vercel project for a campaign microsite and configures campaign.client.com. Vercel's cert assignment logic re-issues the wildcard to whichever project most-recently claimed a *.client.com domain. The preview deploys from the dashboard project, which were relying on the same wildcard, start returning ERR_CERT_COMMON_NAME_INVALID for everyone reviewing pre-merge changes. The agency engineer doesn't connect the campaign-project creation to the preview-deploy outage for several days; the only signal is design reviewers complaining that preview links are broken in the QA Slack channel.

How it works

SSL and DNS monitoring for Vercel agencies across automatic Let's Encrypt provisioning, Cloudflare proxy interactions, and multi-project domain attachments with per-project preview deploy wildcards.

Merlonix monitors SSL expiry and CNAME integrity across every Vercel-attached subdomain — production apex, www.*, app.*, dashboard.*, preview deploy hosts, and campaign microsites — and catches renewal failures caused by Cloudflare proxy turning on a CNAME pointing at cname.vercel-dns.com, multi-project domain attachments where production is still served from the old project, or wildcard cert reassignments breaking preview deploys from a different project — before Vercel-side analytics, edge functions, and Speed Insights silently go dark.

01

Add Vercel project domains — apex, www.*, app.*, dashboard.*, preview.*, campaign.*, plus per-branch preview subdomains — with DNS TXT record verification

Verify ownership with a DNS TXT record on the apex domain. All subdomains under that apex — app.*, dashboard.*, preview.*, campaign.*, plus any branch-specific preview subdomains pointing at <branch>-<project>.vercel.app — are added without additional verification. Monitoring every Vercel-attached subdomain from a single apex registration ensures that preview deploy hosts and campaign microsites added across multiple Vercel projects are covered alongside the production apex. Under two minutes per client.

02

CNAME and A record monitoring across cname.vercel-dns.com aliases, Cloudflare proxy interactions, and per-project Vercel domain attachments

Three independent DNS resolvers check every CNAME delegation on every monitoring interval. When a client switches a Vercel CNAME from grey-cloud (DNS-only) to orange-cloud (Cloudflare-proxied), the change shows up in the audit log immediately — alongside the cert renewal failure that follows 30 days later when ACME http-01 validation can't complete through Cloudflare's edge. When a custom domain is attached to a new Vercel project without removing it from the old project, the change is logged so the agency can verify which project is actually serving production traffic.

03

SSL monitoring 30 days before expiry across Vercel managed Let's Encrypt certs, Cloudflare universal certs (when proxy is on), and Vercel wildcard certs covering preview deploy subdomains

Full SSL chain validation on every Vercel-attached subdomain — production apex, www.*, app.*, dashboard.*, plus preview deploy hosts and campaign microsites. An expiry alert fires 30 days before the cert expires — enough lead time to identify whether the failure is a Cloudflare proxy interaction blocking Vercel's ACME http-01 validation, a multi-project domain attachment where the cert is held by an older Vercel project, or a wildcard cert reassignment that broke preview deploy links from a different project. Catches Vercel renewal failures while the public site still appears to load from Cloudflare's edge cert and Vercel-side analytics and edge functions are silently going dark.

04

Vendor status for Vercel, Cloudflare, AWS Route53, and other DNS providers to distinguish infrastructure incidents from Vercel-specific SSL and project-attachment configuration failures

Merlonix monitors Vercel, Cloudflare, AWS, Google Cloud, and Fly.io status pages alongside client SSL and DNS. When a Vercel regional incident causes deploy failures across multiple client projects simultaneously, you see the vendor event — not a cluster of individual SSL alerts that each require separate investigation to determine whether the root cause is a Vercel regional outage, a Cloudflare proxy interaction blocking ACME validation, or a multi-project domain attachment that the agency created during a recent rebuild and forgot to clean up.

What the numbers mean for Vercel agencies

Monitoring built for Vercel agencies where one client product means a marketing apex, a customer dashboard at app.*, a campaign microsite at campaign.*, and per-branch preview deploys at preview.* — each pointing at a different Vercel project and each a separate cert assignment.

Vercel agencies managing automatic Let's Encrypt provisioning across multi-project client rosters, Cloudflare proxy interactions that occasionally break ACME validation, and per-project preview deploy wildcards that reassign on new project creation need monitoring that covers every Vercel-attached subdomain — because a Cloudflare-proxy CNAME flip is silent until the next 30-day Vercel renewal cycle and the production site keeps loading from Cloudflare's edge cert while Vercel-side analytics and edge functions silently go dark.

< 10 min

Time from DNS change to alert — catches the Cloudflare proxy flip from grey-cloud to orange-cloud on a Vercel CNAME, multi-project Vercel domain reassignment during agency rebuilds, and the silent CNAME flip from cname.vercel-dns.com to alias.vercel.app that breaks ACME http-01 validation

30 days

SSL expiry warning lead time — enough time to identify a Cloudflare proxy interaction blocking Vercel's ACME http-01 validation, a multi-project domain attachment where production is still served from the old project, or a wildcard cert reassignment breaking preview deploys, and correct it before Vercel-side analytics, edge functions, and Speed Insights silently go dark

11 vendors

Upstream services monitored — Vercel, Cloudflare, AWS, Google Cloud, and Fly.io included to distinguish provider outages from Vercel-specific SSL failures requiring CNAME or multi-project domain configuration changes

250 assets

Maximum monitored domains on the Agency plan — covers Vercel production apex, www.*, app.*, dashboard.*, preview deploy hosts, and campaign microsites across a full Vercel client portfolio

Pricing

Flat monthly fee. Every Vercel project subdomain and preview deploy host included.

No per-subdomain charges. No per-Vercel-project fees. Pick the tier that fits your Vercel client and project count and monitor every production apex, app.*, dashboard.*, campaign.*, and preview deploy host without billing surprises.

See full feature comparison →

Starter

For individual Vercel developers managing a small client portfolio with single-project Vercel deployments.

$19/ month

  • 15 monitored assets
  • 3 seats
  • 5 min check cadence
  • SSL + DNS + vendor monitoring
  • Email + Slack alerts
Start with Starter
Most chosen

Team

For Vercel agencies managing multi-project client deployments with separate apex, dashboard, and campaign subdomains.

$79/ month

  • 60 monitored assets
  • 10 seats
  • 1 min check cadence
  • SSL + DNS + vendor monitoring
  • Email + Slack alerts
Start with Team

Agency

For agencies with a full Vercel client roster including per-project preview deploys and wildcard cert assignments across multiple Vercel projects per client.

$199/ month

  • 250 monitored assets
  • Unlimited seats
  • 1 min check cadence
  • SSL + DNS + vendor monitoring
  • Email + Slack alerts
Start with Agency

Compliance

For regulated-vertical teams that need continuous, audit-ready evidence.

$699/ month

  • 500 monitored assets
  • Unlimited seats
  • 1 min check cadence
  • SSL + DNS + vendor monitoring
  • Email + Slack alerts
Start with Compliance

Know when a Vercel cert is about to fail because Cloudflare's proxy is on the CNAME.

Add your first Vercel client domain in under two minutes. Production apex, app.*, dashboard.*, campaign.*, and preview deploy hosts across every Vercel project for that client are monitored from the same dashboard. 14-day trial, no card required.

Start free for 14 daysRead the agency SSL checklist →