The domain troubleshooting guide can help with most custom domain configuration issues. You might be able to use that guide to solve it before a human is available to help you. Then you can come back here and share the answer for bonus points.
You can also use v0 to narrow down the possibilities.
A no-sni.vercel-infra.com certificate in a security scan usually means the scanner tested the Vercel edge IP without SNI. That is different from what normal browsers do for a custom domain.
If the first command shows no-sni.vercel-infra.com but the second command shows your actual domain certificate, then the audit finding is probably a no-SNI scanner artifact rather than a user-facing certificate issue.
For third-party domains on Vercel, make sure the A/CNAME records match what Vercel shows in the dashboard, and remove any stale AAAA record if one exists. If CAA records are present, they also need to allow Vercel/Let’s Encrypt to issue the certificate.
Vercel’s domain troubleshooting guide is useful for comparing those checks:
If browsers fail even when the SNI test passes, the next useful detail would be the exact browser error, affected region/network, and the output of the openssl s_client -servername yourdomain.com command.
aiseopages.nl (same machine, same network, same Schannel, same minute):
curl --tlsv1.2 → HTTP/1.1 200 OK (full response, all headers)
curl --tlsv1.3 → HTTP/1.1 200 OK
So this rules out the two things we wanted to separate:
It is NOT Windows/Schannel: aiseopages.nl works perfectly through the exact same Schannel stack on the same machine.
It is NOT a TLS-version mismatch: both 1.2 and 1.3 fail identically for webshoppages.nl.
The handshake for webshoppages.nl fails before completion regardless of TLS version, and even when connecting directly to the Vercel IP (216.198.79.1) with SNI. Meanwhile aiseopages.nl on that exact same IP returns 200 OK.
Summary of the isolation:
same machine, same network, same time, same Vercel edge IP (216.198.79.1)
one domain (aiseopages.nl) works
the other (webshoppages.nl) fails before the cert/handshake completes
Earlier checks already confirmed: clean A record, empty AAAA, no CAA, no _acme-challenge, and Let’s Debug (http-01) returns “All OK”. The .vercel.app deployment works fine, and the domain also loads on mobile over the same Wi-Fi.
This really isolates it to domain-specific TLS/edge serving for webshoppages.nl on the EU path that serves my connection. Could this be escalated to Vercel staff to re-provision / re-issue the certificate for this hostname on the edge?
I’m happy to provide privately: project ID, deployment ID, exact failing timestamp (CEST), ISP/region (KPN, Netherlands), and any log/generation IDs.
Thanks again for the help narrowing this down.
Jack