Custom domain stuck in TLS access_denied state — edge config not serving despite valid cert
Cert ID: cert_Rfj1XhsUzEsRny7CfUippyrW (issued ~1h ago) Older cert still listed: cert_PqZwgqV6AZiUxAJWpEyDGDHl (5d old)
Symptom
Browser: ERR_SSL_PROTOCOL_ERROR curl: TLS 1.3 alert “access_denied” (alert 49) returned by edge before any certificate is presented. “no peer certificate available.” Reproduces against every Vercel anycast IP (216.198.79.65, 64.29.17.65, 216.198.79.1, 64.29.17.1) when SNI=ai-interview.nortonlam.com. No-SNI handshake to the same IPs succeeds and presents the generic no-sni.vercel-infra.com cert, so general TLS termination on the edge is fine. Same project’s *.vercel.app URLs (e.g. ai-consultation-app.vercel.app) serve correctly with HTTP/2 200 and a valid cert. Issue is specific to the custom hostname’s edge SNI binding. What I’ve already tried (no change)
DNS verified correct: CNAME → c332f63dbac95ac4.vercel-dns-017.com., resolves to current Vercel anycast IPs from multiple resolvers. No CAA blocking; letsencrypt.org is allowed via the CNAME chain. Dashboard shows “Valid Configuration” for the domain. Clicked “Refresh” on the domain — no change. Disabled Deployment Protection — no change. No firewall rules configured. vercel certs issue ai-interview.nortonlam.com — succeeded, new cert created, edge still rejects. Removed the domain from the project and re-added it via dashboard — edge still rejects. Old cert was not cleaned up; two certs now exist for the same CN. Polled TLS for 60 minutes after re-add — no recovery.
Diagnosis
Edge SNI table is not serving for this hostname despite control-plane state being correct (cert valid, domain bound, project deployed). Perhaps need edge config rebuilt for ai-interview.nortonlam.com on this team.
Note that this did work when I first set it up about a week ago and now it does not.
Project: ai-consultation-app Domain: ai-interview.nortonlam.com