Custom subdomain shows “Valid Configuration” but refuses TCP connections on port 443

muveloper-9374 · December 22, 2025, 10:21am

Current behavior

The custom subdomain early.insightea.ai consistently refuses TCP connections on port 443 with an immediate “connection refused” error.

This happens even though:

The Vercel dashboard shows the domain as “Valid Configuration”
DNS resolves correctly from multiple public resolvers (8.8.8.8, 1.1.1.1)
An SSL certificate is shown as active in Vercel

Example errors:

curl -I https://early.insightea.ai
nc -vz early.insightea.ai 443
openssl s_client -connect early.insightea.ai:443

All of these fail immediately with “connection refused” (not timeout).

Expected behavior

The subdomain should accept HTTPS connections on port 443 and serve the deployed application, the same way other subdomains on the same project do (for example, www.insightea.ai and news.insightea.ai).

Steps to reproduce

Configure early.insightea.ai as a custom domain on a Vercel project.
Set DNS via Cloudflare (DNS only, proxy disabled):
- early → df839047b49ff2a2.vercel-dns-017.com
Confirm in Vercel that:
- Domain status shows “Valid Configuration”
- SSL certificate is issued and active
Attempt to connect using HTTPS:
- curl -I https://early.insightea.ai
The connection is immediately refused.

Additional diagnostics

DNS resolution works correctly from public resolvers:
- dig @8.8.8.8 early.insightea.ai
- dig @1.1.1.1 early.insightea.ai
Cloudflare proxy is disabled (DNS only)
Vercel Authentication / Deployment Protection is disabled
The domain was removed and re-added in Vercel
The project was redeployed
The issue reproduces across different machines and networks
Other domains on the same Vercel project work correctly

Because the failure is an immediate TCP refusal (not a timeout) and only affects this specific hostname, this appears to be an edge routing or TLS binding issue rather than a client-side or DNS issue.

Project information

Project URL (working): https://www.insightea.ai
Affected domain: https://early.insightea.ai
Framework: Next.js
Platform: Vercel
DNS provider: Cloudflare (DNS only)
Account plan: Hobby

Is it possible that this hostname is not correctly bound to a listening service on the Vercel Edge, despite showing as “Valid Configuration”? Would an internal edge reset or rebinding be required?

jacobparis · December 22, 2025, 10:54am

This may take some time for propagation, but SSL works correctly on that domain for me

If it doesn’t resolve itself in a few hours, could you run the script in this repo and share the results? That’ll help diagnose whether there’s some network issue at play

muveloper-9374 · December 22, 2025, 11:20am

Thanks a lot for the quick support!
The issue was on my local machine and has been resolved now.
Really appreciate the help — have a great end of the year!

Topic		Replies	Views
Subdomain SSL is not working despite valid configuration in Vercel Help	6	85	July 5, 2025
Domain Stuck on Invalid SSL/Cipher Help domains	3	42	January 20, 2026
Connection Issues with Android WebView and Custom DNS (AdGuard DNS) on Vercel-Hosted Subdomains Help domains	4	74	December 22, 2024
Custom Domains Not Working from Russia Help domains	6	214	November 17, 2025
Sudden SSL Handshake Failure on Custom Domain (PR_END_OF_FILE_ERROR) Help	3	127	April 7, 2025