Body:
My apex domain billionsclub.vip (configured as a 301 redirect to www.billionsclub.vip) intermittently serves the wildcard certificate CN=*.billionsclub.vip instead of the apex certificate CN=billionsclub.vip, depending on which edge IP the request lands on. The wildcard cert does not cover the bare apex, so visitors get a “connection is not private” / CN mismatch error. It happens reliably on mobile networks (multiple Czech carriers).
DNS is fully managed by Vercel (ALIAS records, auto-generated):
@→ ALIAS →82d5ab1c39835b4a.vercel-dns-017.com*→ ALIAS →cname.vercel-dns-017.com
The apex resolves to two edge IPs that serve different certificates:
216.198.79.1→CN=billionsclub.vip
(correct)216.198.79.65→CN=*.billionsclub.vip
(wildcard, does not cover apex)
Reproduction (run several times, results vary by edge node):
for i in $(seq 8); do echo | openssl s_client -connect billionsclub.vip:443 -servername billionsclub.vip 2>&1 | grep subject=; done
Output — 5 of 8 requests get the wrong cert:
subject=CN=billionsclub.vip
subject=CN=*.billionsclub.vip
subject=CN=*.billionsclub.vip
subject=CN=*.billionsclub.vip
subject=CN=*.billionsclub.vip
subject=CN=billionsclub.vip
subject=CN=*.billionsclub.vip
subject=CN=billionsclub.vip
The apex Let’s Encrypt cert exists and is valid (216.198.79.1 proves it), but it is not deployed uniformly across all edge nodes — some nodes fall back to serving the *.billionsclub.vip wildcard cert for SNI billionsclub.vip, which is invalid for a bare apex.
Already tried, without success:
- Domain Refresh in the dashboard
- Remove + re-add the apex domain
- Confirmed CAA records allow Let’s Encrypt (
0 issue "letsencrypt.org"present)
Please re-provision and redistribute the apex certificate across all edge nodes so billionsclub.vip consistently serves CN=billionsclub.vip.