I’m experiencing TLS failures on my custom domain bmudpt.xyz. The .vercel.app deployment URL works perfectly, but the custom domain fails with ERR_SSL_PROTOCOL_ERROR.
What’s happening:
Both edge IPs assigned to my domain fail TLS handshakes:
216.198.79.1 — resets the connection (broken pipe)
64.29.17.65 — returns tlsv1 alert protocol version
Neither IP serves a certificate. This reproduces on multiple devices and networks.
What I’ve tried:
Re-created the ALIAS records
Added a CAA record for 0 issue "letsencrypt.org"
Removed and re-added the domain to my project
The likely cause:
There’s a default CAA record 0 issue "pki.goog" on my domain that I cannot delete or edit — it shows as a default DNS record in Vercel’s system. This restricts certificate issuance to Google’s CA, but Vercel uses Let’s Encrypt. The edge nodes may be refusing to serve the cert due to this mismatch.
Expected behavior:
The edge nodes should serve a valid TLS certificate, like they do for the .vercel.app URL.
Is there any way to get this CAA record removed, or to have the edge nodes investigated? Thanks!
The domain troubleshooting guide can help with most custom domain configuration issues. You might be able to use that guide to solve it before a human is available to help you. Then you can come back here and share the answer for bonus points.
You can also use v0 to narrow down the possibilities.
Your CAA suspicion is worth checking. Vercel’s domain troubleshooting docs say Vercel uses Let’s Encrypt for automatic SSL certificates, and if any CAA records already exist on the domain, the domain needs to allow letsencrypt.org.
A couple of things I would verify:
Run:
dig -t CAA +noall +ans bmudpt.xyz
Confirm whether the domain has only pki.goog, or whether letsencrypt.org is also present.
If CAA records are managed through Vercel DNS and you cannot remove/edit the pki.goog record, this may need Vercel staff to inspect the DNS zone.
Also check the domain in Let’s Debug or DNSViz, since Vercel recommends those for SSL certificate troubleshooting.
If Let’s Encrypt is not authorized by the CAA records, that would explain why Vercel cannot issue/serve the expected certificate for the custom domain while the .vercel.app deployment URL works.