My custom domain webshoppages.nl shows “Valid Configuration” in the Vercel dashboard and a certificate was issued (verified via SSL Labs: issued by Google WR1, valid 18 Jun – 16 Sep 2026, trusted, no chain issues). But the domain cannot be reached over HTTPS from any of my computers.
== SYMPTOMS ==
All browsers (Chrome, Edge, Brave, also incognito) return ERR_SSL_PROTOCOL_ERROR.
curl returns: schannel: next InitializeSecurityContext failed: SEC_E_LOGON_DENIED (0x8009030c). The TLS handshake fails before any data is returned.
Happens on 3 separate Windows machines.
The site loads fine on mobile over the exact same Wi-Fi.
== KEY EVIDENCE THIS IS NOT A LOCAL / MACHINE ISSUE ==
I have another Vercel project, aiseopages.nl, on the SAME Vercel IP (216.198.79.1). On the exact same machine, same browser, same moment, aiseopages.nl opens perfectly over HTTPS — but webshoppages.nl fails the handshake. If this were local antivirus / Schannel / HTTPS-filtering, aiseopages.nl would fail too. It does not.
All my other domains became reachable over HTTPS within ~10 hours of setup. webshoppages.nl has been “Valid Configuration” for over 20 hours and still fails — well beyond normal propagation.
Vercel support already confirmed their own test servers reach the site with HTTP 200. So the failure is between the edge and European (KPN / EU-Amsterdam) clients.
== EVERYTHING ALREADY VERIFIED / RULED OUT ON MY SIDE ==
DNS correct: A record 216.198.79.1, propagated worldwide (checked via dnschecker.org and Google DNS 8.8.8.8).
No CAA records (nothing blocking certificate issuance).
No proxy configured (netsh winhttp show proxy = direct access).
Domain is only in this one Vercel project/account (not duplicated in my other account).
GitHub connected correctly. No account warnings.
The .vercel.app deployment URL works perfectly.
Domain registrar status is Active (not suspended, no pending verification).
The registrar (Hostinger) had auto-created its own SSL certificate for the domain — I deleted it, no change.
I have NOT pointed nameservers to the registrar; DNS points to Vercel via the A record.
Removed and re-added the domain in Vercel — no change.
== REQUEST ==
This looks like a stale or mismatched TLS certificate for this specific domain on the edge serving European (EU/Amsterdam) clients. Could an engineer please re-provision / re-issue the TLS certificate for webshoppages.nl on the edge?
Let’s Debug (letsdebug.net) reports “All OK — no issues found” for webshoppages.nl using HTTP-01. So certificate issuance is not blocked on my side at all — the problem is purely that the edge is not serving the certificate.
The domain troubleshooting guide can help with most custom domain configuration issues. You might be able to use that guide to solve it before a human is available to help you. Then you can come back here and share the answer for bonus points.
You can also use v0 to narrow down the possibilities.
Since the certificate exists and the site works from mobile on the same Wi-Fi, I’d separate this into two checks before assuming a general certificate issuance problem.
First, check whether any IPv6/AAAA record is still present somewhere:
If AAAA returns anything, remove that stale IPv6 record or test with IPv4 forced. Vercel’s domain troubleshooting docs call out that third-party custom domains should not be pointed to Vercel with AAAA records:
Second, test the TLS handshake with SNI explicitly:
The -servername webshoppages.nl part matters. A no-SNI scan can show a default/shared edge certificate and may not reflect what browsers actually request for your domain.
If the SNI test fails only from the affected KPN/EU/Windows path but works from mobile or another network, I’d send Vercel support the exact failing timestamp, resolved IP, network/region, and the openssl s_client output. That gives them much better evidence than “Valid Configuration but browser fails.”
dig A → 216.198.79.1 (correct)
dig AAAA → empty (no IPv6 record — already removed earlier)
CAA → none
So no stale AAAA and no CAA. DNS is clean.
For the TLS test on Windows (no openssl/dig, used curl):
curl https://webshoppages.nl → fails: schannel SEC_E_LOGON_DENIED (0x8009030c), handshake fails before any cert is returned, even though SNI is sent.
This fails identically on 3 machines (mix of Windows 10 and 11), 3 browsers, incognito, antivirus disabled.
Crucially: aiseopages.nl on the SAME Vercel IP (216.198.79.1) opens perfectly on the exact same machine/browser. And webshoppages.nl works fine on mobile (same Wi-Fi).
Let’s Debug (http-01) reports “All OK — no issues found” for the domain.
Since issuance is fine, no AAAA/CAA, and an identical project on the same IP works from the same machine, this really looks like the edge is not serving the correct certificate for webshoppages.nl specifically on the EU path that serves my connection. Could this be escalated to Vercel staff for a certificate re-provision on the edge?