Custom Domain Routes Through Vercel But HTTPS Fails (SSL/TLS Handshake Error)

Discussions
1

Hello Vercel Team,

I am experiencing an SSL certificate issue with my custom domain:

Current DNS configuration:

A Record:
@ → 216.198.79.1

CNAME:
www → 9e974bf474f452b6.vercel-dns-017.com

The DNS records match exactly what is shown in the Vercel Domains dashboard.

Testing results:

http://toyotagorontalo.net

→ 308 Redirect
→ Server: Vercel

→ 200 OK
→ Server: Vercel

HTTPS test:

https://www.toyotagorontalo.net
→ SSL/TLS handshake failed

The Domains page still shows “Invalid Configuration” even though:

  • DNS is correct
  • Traffic is routing through Vercel
  • HTTP is working properly

I have already verified the DNS records with my registrar (Rumahweb) and they match exactly what Vercel requires.

Could someone please verify whether SSL certificate provisioning or domain verification is stuck for:

Thank you.

2

Hi Jufriadi,

Since HTTP is already reaching Vercel but HTTPS fails and the dashboard still says Invalid Configuration, I’d double-check the records that can block SSL provisioning rather than the app itself.

A few things to verify at the DNS provider:

dig A toyotagorontalo.net +short
dig AAAA toyotagorontalo.net +short
dig CNAME www.toyotagorontalo.net +short
dig CAA toyotagorontalo.net +short

For the apex domain, the A record should match exactly what Vercel shows in the Domains dashboard. For www, the CNAME should also match exactly, including any trailing . if your DNS provider requires it. Also make sure there are no AAAA records pointing somewhere else, because Vercel’s troubleshooting docs note that IPv6/AAAA records are not supported for third-party DNS custom domains.

If you have any CAA records, make sure they allow Let’s Encrypt / Vercel to issue the certificate. Vercel lists CAA records as one of the common reasons SSL generation can fail.

Docs:
https://vercel.com/docs/domains/troubleshooting
https://vercel.com/docs/domains/working-with-domains/add-a-domain

If those commands show only the expected Vercel records and no conflicting AAAA/blocking CAA, then this is more likely stuck SSL/domain verification on Vercel’s side rather than a Next.js or deployment issue.