No SSL for maorz.co.il despite valid DNS

Hello,
Our custom domain maorz.co.il is not receiving an SSL certificate, even though the DNS configuration is valid and Let’s Encrypt confirms there are no issues.
Details:
DNS configuration (Cloudflare, DNS only):
A maorz.co.il → 76.76.21.21
CNAME www.maorz.co.il → cname.vercel-dns.com
No CAA records (confirmed with dig).
DNSSEC is disabled.
Cloudflare proxy is disabled for both apex and www.
No _acme-challenge TXT record exists.
.well-known/acme-challenge/ is accessible.
Domain shows Valid Configuration in the Vercel dashboard.
Removed and re-added the domain multiple times with no success.
Let’s Debug (http-01) returns All OK, confirming Let’s Encrypt can issue a certificate for this domain without issues.
curl -I https://maorz.co.il returns:
curl: (60) SSL: no alternative certificate subject name matches target host name ‘maorz.co.il’
Given that external validation is successful, this seems to be an internal Vercel SSL issuance issue.
Could you please manually trigger SSL issuance for maorz.co.il or investigate why it is not being automatically provisioned?

The domain maorz.co.il resolves correctly to Vercel (DNS only through Cloudflare).
Vercel dashboard shows “Valid Configuration” for both maorz.co.il and www.maorz.co.il.
No SSL certificate is issued – curl returns:
curl: (60) SSL: no alternative certificate subject name matches target host name ‘maorz.co.il’
This has persisted despite multiple remove-and-readd attempts for the domain.
Expected Behavior:
Vercel should automatically issue a Let’s Encrypt SSL certificate for maorz.co.il upon successful DNS verification.
Visiting https://maorz.co.il should load the site with a valid SSL certificate issued to maorz.co.il.

{
“framework”: “nextjs”,
“buildCommand”: “npm run build:vercel”,
“devCommand”: “npm run dev”,
“installCommand”: “npm install”,
“outputDirectory”: “.next”,
“redirects”: [
{
“source”: “/(.)",
“has”: [
{
“type”: “host”,
“value”: “www.maorz.co.il”
}
],
“permanent”: true,
“destination”: “https://maorz.co.il/$1
}
],
“headers”: [
{
“source”: "/(.
)”,
“headers”: [
{ “key”: “Strict-Transport-Security”, “value”: “max-age=31536000; includeSubDomains” },
{ “key”: “X-Content-Type-Options”, “value”: “nosniff” },
{ “key”: “X-Frame-Options”, “value”: “DENY” },
{ “key”: “X-XSS-Protection”, “value”: “1; mode=block” }
]
}
]
}

Steps to Reproduce:

  1. Add maorz.co.il as a custom domain in Vercel (with correct Cloudflare DNS pointing to 76.76.21.21 and cname.vercel-dns.com for www).

  2. Wait for domain to show “Valid Configuration” in the Vercel dashboard.

  3. Attempt to access https://maorz.co.il.

  4. Observe that SSL certificate is missing (curl error: no alternative certificate subject name matches target host name).

  5. Remove and re-add the domain multiple times – issue persists.


Project URL (Vercel Dashboard): https://maor-zini-website.vercel.app/
Live Domain: https://maorz.co.il
Framework: Next.js
Environment: Production
Project Settings:
Build Command: npm run build:vercel
Install Command: npm install
Output Directory: .next
Redirects: www.maorz.co.il → maorz.co.il (permanent)

The domain troubleshooting guide can help with most custom domain configuration issues. You might be able to use that guide to solve it before a human is available to help you. Then you can come back here and share the answer for bonus points.

You can also use v0 to narrow down the possibilities.

Thanks for the suggestion – I’ve already gone through the domain troubleshooting guide step by step before posting here.

  • DNS is correctly configured to Vercel (A record for maorz.co.il76.76.21.21, CNAME for wwwcname.vercel-dns.com, both DNS only).

  • No CAA records are set.

  • DNSSEC is disabled.

  • No _acme-challenge TXT record exists.

  • No redirects or rewrites for /.well-known.

  • Let’s Debug test returns “All OK” for http-01 challenge.

Given that all checks pass, it looks like the issue is on Vercel’s side and requires manual intervention to trigger SSL issuance.