I’m running a multi-tenant SaaS app (archviz-platform) on Vercel with a wildcard domain *.lumicasa.homes. Since adding an api.lumicasa.homes CNAME record pointing to Railway (external service), any subdomain not visited before that change returns a 403 Forbidden from the Frankfurt edge (fra1).
Vercel support chat confirmed wildcardConsistent: false on my wildcard cert and acknowledged the issue is a partial DNS-01 validation that occurred when the Railway CNAME was present during original cert issuance.
My configuration:
-
Vercel nameservers ✓
-
*.lumicasa.homes→archviz-platformproject ✓ -
CAA records include
letsencrypt.org✓ -
Active cert
cert_FgMrKfoQktdCov4yMwTUOkgHcovering*.lumicasa.homes, issued Apr 26, 84 days remaining -
api.lumicasa.homesCNAME → Railway (not connected to Vercel project)
What I’ve tried:
-
Disabled all deployment protection
-
Removed and re-added
*.lumicasa.homesfrom project domains -
Updated
vercel.jsonrewrites to scope by host -
Cannot delete the cert — “system certificates cannot be deleted”
What I need: A forced reissue of the wildcard cert cert_FgMrKfoQktdCov4yMwTUOkgH for *.lumicasa.homes on team ahmeds-projects-0a9f55f6, project archviz-platform.
Is there any way to trigger this without Vercel infrastructure team access? Or can a Vercel staff member here escalate this?