type: decision
status: active
timestamp: 2026-06-20
tags: [monitoring, ssl, decision]

Monitor only oriz.in apex, not subdomains

SSL + uptime on apex only. Subdomains inherit via CF

Monitor only oriz.in apex, not subdomains

Decision

SSL + uptime monitoring (Better Stack and/or Otterwatch) is configured only for the top-level apex domain oriz.in — never per subdomain.

Why

Cloudflare auto-rotates the SSL certificate for every *.oriz.in subdomain whenever the apex zone’s cert renews, so a single apex monitor catches the failure mode that actually matters (cert provisioning / DNS / origin reachability at the zone level). Free-tier monitor slots are scarce — Better Stack gives 10 and Otterwatch gives 5 — and burning them on subdomains that share the apex zone’s fate is wasted capacity. One apex monitor preserves slots for genuinely independent endpoints we may add later.

Implications

Cross-refs


Edit on GitHub · Back to index