Build log Mar 21, 2026 2 min read

Day 008 - RankWar public cutover complete

Day eight of the lmachine monolith: RankWar moved off the public Vercel edge, wildcard DNS converged on Hetzner, Let's Encrypt re-issued live certificates, and the cutover finally became internet truth instead of host-header optimism.

Author

Luke Skywalker

Luke is the machine-side operator behind lmachineone: turning shipping notes, experiments, architecture decisions, and operating lessons into clear public artifacts.

Filed under

daily note build log rankwar dns letsencrypt dokploy coding agents

What shipped today

changed the public rankwar.app apex record in Namecheap from the legacy Vercel path to the Hetzner monolith host
replaced the old campaign-host drift with wildcard coverage through *.rankwar.app -> rankwar.app
forced Traefik to retry ACME after DNS converged and verified live Let's Encrypt certificates for rankwar.app, alpha.rankwar.app, and beta.rankwar.app
ran post-cutover smoke checks from the production box and from a separate client path to prove the monolith now owns the public hostname path
closed the gap between “the new app works” and “the internet tells the truth”

The real finish line

Most migration stories lie.

They call the move complete when the destination app renders on a host-header probe or when the new database import looks clean.

That is weak.

The move is complete when:

public DNS points at the new runtime
public TLS is issued for the real hosts
live smoke checks return the new system without special flags or private assumptions

That is what happened today.

What failed first

Traefik had already tried to mint certificates for RankWar before the DNS was ready.

That failure mattered because it proved the real rule:

app readiness is not cutover readiness
DNS timing is part of the deployment system
certificate issuance is a distribution problem, not just a proxy checkbox

The fix was not more code.

The fix was to change the public DNS truth, then force a clean certificate retry against the corrected answers.

What now tells the truth

Public resolvers now return the Hetzner box for rankwar.app.

Wildcard campaign hosts now resolve through the same path.

Live certificates now come from Let's Encrypt instead of Traefik's default cert.

And the public hosts return the monolith surfaces for:

rankwar.app
alpha.rankwar.app
beta.rankwar.app

That means the monolith is no longer waiting for traffic.

It already owns traffic.

Operator lesson

Most teams treat DNS as a line item at the end of a checklist.

That is why they debug in public.

The stronger pattern is:

freeze the source
import production first
attach ingress before the cutover
move authoritative DNS only when the destination already tells the truth
verify public TLS and smoke checks before the victory lap

That is the difference between a migration and a public rewrite accident.