Partial SSL cert propagation across edge nodes — domain unreachable

Help
, , ,
1

Hi guys. I have a Hobby project with a clear platform-side issue that’s
beyond my control. Sharing here since SSL support is locked behind paid
plans.

Domain: roteirobr.com
Cert ID: cert_6AWhfln1nAVpJUg23DDnPSco
Issued: Let’s Encrypt R13, valid May 6 → Aug 4 2026

After 1+ hour of DNS propagation:

  • Ran the official vercel-debug.sh from Singapore (Singtel) → tested all
    22 anycast IPs that resolve for the domain
  • 21 of 22 IPs returned TLS “Connection reset by peer”
  • Only 66.33.60.35 completed handshake and presented the valid cert
  • Now (re-testing 30 min later) even 66.33.60.35 fails

Same SNI on different domain (roteiro-app-nine.vercel.app) on those exact
same IPs returns HTTP 200 just fine. So the edge IS working — the cert
binding for roteirobr.com SNI is partially propagated.

Chat AI support escalated this and confirmed it’s an infrastructure issue
needing edge/network team, but Hobby plan can’t open a paid case.

Posting here because:

  1. Fully documented evidence (debug script + multiple test environments)
  2. Affecting Asia-Pacific users primarily
  3. No user action can fix this — needs Vercel-side cert sync push

Hoping a Vercel engineer can take a look. Happy to provide more debug
output or test from other regions.

## Current vs Expected behavior

Expected: `https://roteirobr.com` should serve the deployed app over HTTPS, like the working `https://roteiro-app-nine.vercel.app/` does.

Current: TLS handshake fails with "Connection reset by peer" on 21 of 22 anycast edge IPs that resolve for the domain. SSL cert is correctly issued (visible via `vercel certs ls`), domain is correctly attached to the project, DNS is correctly configured. After 1+ hour and re-issuing the cert multiple times via CLI, it remains broken.

This is partial cert propagation across the edge network — the cert exists, but the binding to the SNI `roteirobr.com` has not synced to all edge nodes.

## Steps to reproduce

```bash

# 1. Add custom domain (Hobby project, Third Party registrar — Namecheap)

vercel domains add roteirobr.com

# 2. Configure DNS at registrar:

# A @ 76.76.21.21

# CNAME www cname.vercel-dns.com.

# 3. Wait for propagation (verified globally via dig @8.8.8.8 + dig @1.1.1.1)

# 4. Cert auto-issued — confirmed via:

vercel certs ls

# cert_6AWhfln1nAVpJUg23DDnPSco | roteirobr.com, www.roteirobr.com | in 90d

# 5. Test HTTPS:

curl -sI https://roteirobr.com/

# returns nothing — Connection reset by peer

Running the official Vercel debug script (vercel-connect-debug) tested all 22 anycast IPs that resolve for the domain. 21 returned “Connection reset by peer” during TLS handshake. Only 66.33.60.35 completed the handshake and presented the valid cert:

Server certificate:

subject: CN=roteirobr.com

start date: May 6 04:41:26 2026 GMT

expire date: Aug 4 04:41:25 2026 GMT

issuer: C=US; O=Let's Encrypt; CN=R13

SSL certificate verify ok.

The same edge IPs (e.g., 76.76.21.142) successfully serve a different domain on the same project (roteiro-app-nine.vercel.app) with HTTP 200. So the edge nodes are functional — only the SNI mapping for roteirobr.com is missing on most of them.

Tested from 2 independent networks (Singapore Singtel + Brazilian residential ISP) — same result on both. Vercel chat AI support tested from inside Vercel and saw HTTP 200 (likely from an edge that did receive the cert), confirming it’s regional partial propagation.

Project information

  • Project: roteiro-app (team helderfilipov-2946s-projects)

  • Plan: Hobby

  • Framework: Next.js 15.5.13

  • Domain: roteirobr.com (apex) + www.roteirobr.com

  • Registrar: Namecheap (Third Party — DNS managed at registrar, not Vercel)

  • Cert ID: cert_6AWhfln1nAVpJUg23DDnPSco (Let’s Encrypt R13, valid May 6 → Aug 4 2026)

  • Working URL (current): https://roteiro-app-nine.vercel.app/ (HTTP 200)

  • Broken URL: https://roteirobr.com/ (Connection reset)

  • Latest deployment: roteiro-fi4f5e0fi-helderfilipov-2946s-projects.vercel.app (Production, Ready)

  • Currently working IP: 66.33.60.35 (4.5% of edge nodes have the cert)

Vercel chat AI confirmed this is a platform-side issue but routed me here since SSL support cases require Pro plan. Hoping a Vercel engineer monitoring the forum can push the cert sync across all edges (especially Asia-Pacific where my user base hits).

Full debug script output available on request — happy to paste the 71-second test transcript if useful.

2

The domain troubleshooting guide can help with most custom domain configuration issues. You might be able to use that guide to solve it before a human is available to help you. Then you can come back here and share the answer for bonus points.

You can also use v0 to narrow down the possibilities.