[▲ Vercel Community](/) · [Categories](/categories) · [Latest](/latest) · [Top](/top) · [Live](/live) [Help](/c/help/9) # Custom subdomain shows “Valid Configuration” but refuses TCP connections on port 443 24 views · 2 likes · 3 posts muveloper (@muveloper-9374) · 2025-12-22 <!-- Questions that get answered the fastest are the ones with relevant info included in the original post. Be sure to include all detail needed to let others see and understand the problem! --> <!-- Current versus Expected behavior --> <!-- Code, configuration, and steps that reproduce this issue --> <!-- Project information (URL, framework, environment, project settings) --> ## **Current behavior** The custom subdomain early.insightea.ai consistently refuses TCP connections on port 443 with an immediate “connection refused” error. This happens even though: * The Vercel dashboard shows the domain as “Valid Configuration” * DNS resolves correctly from multiple public resolvers (8.8.8.8, 1.1.1.1) * An SSL certificate is shown as active in Vercel Example errors: * curl -I [https://early.insightea.ai](https://early.insightea.ai/) * nc -vz early.insightea.ai 443 * openssl s_client -connect early.insightea.ai:443 All of these fail immediately with “connection refused” (not timeout). ## **Expected behavior** The subdomain should accept HTTPS connections on port 443 and serve the deployed application, the same way other subdomains on the same project do (for example, [www.insightea.ai](http://www.insightea.ai/) and news.insightea.ai). ## **Steps to reproduce** 1. Configure early.insightea.ai as a custom domain on a Vercel project. 2. Set DNS via Cloudflare (DNS only, proxy disabled): * early → df839047b49ff2a2.vercel-dns-017.com 3. Confirm in Vercel that: * Domain status shows “Valid Configuration” * SSL certificate is issued and active 4. Attempt to connect using HTTPS: * curl -I [https://early.insightea.ai](https://early.insightea.ai/) 5. The connection is immediately refused. ## **Additional diagnostics** * DNS resolution works correctly from public resolvers: * dig @8.8.8.8 early.insightea.ai * dig @1.1.1.1 early.insightea.ai * Cloudflare proxy is disabled (DNS only) * Vercel Authentication / Deployment Protection is disabled * The domain was removed and re-added in Vercel * The project was redeployed * The issue reproduces across different machines and networks * Other domains on the same Vercel project work correctly Because the failure is an immediate TCP refusal (not a timeout) and only affects this specific hostname, this appears to be an edge routing or TLS binding issue rather than a client-side or DNS issue. ## **Project information** Project URL (working): [https://www.insightea.ai](https://www.insightea.ai/) Affected domain: [https://early.insightea.ai](https://early.insightea.ai/) Framework: Next.js Platform: Vercel DNS provider: Cloudflare (DNS only) Account plan: Hobby Is it possible that this hostname is not correctly bound to a listening service on the Vercel Edge, despite showing as “Valid Configuration”? Would an internal edge reset or rebinding be required? Jacob Paris (@jacobparis) · 2025-12-22 · ♥ 1 This may take some time for propagation, but SSL works correctly on that domain for me  If it doesn't resolve itself in a few hours, could you run the script in this repo and share the results? That'll help diagnose whether there's some network issue at play https://github.com/vercel-support/vercel-connect-debug muveloper (@muveloper-9374) · 2025-12-22 · ♥ 1 Thanks a lot for the quick support! The issue was on my local machine and has been resolved now. Really appreciate the help — have a great end of the year!
