Skip to main content

Troubleshooting 'Invalid Configuration' and Stuck DNS on Vercel Custom Domains

 There are few things in the deployment pipeline more anxiety-inducing than the red "Invalid Configuration" error in the Vercel dashboard. Your Next.js application builds perfectly, the preview URLs work, but your production custom domain is stuck.

You might see an endless "Generating SSL" spinner, a generic 404 error on your apex domain (the non-www version), or a "Conflicting Records" warning.

This is not a waiting game. If the configuration has been stuck for more than 15 minutes, it is likely a misconfiguration, not a propagation delay. This guide covers the root cause of these DNS failures and provides the specific technical steps to resolve them.

The Root Cause: How Vercel Edge Network Validation Works

To understand why your domain is failing, you must understand the validation handshake. When you add a domain to Vercel, two distinct processes occur:

  1. Ownership Verification: Vercel checks the DNS records to ensure you control the domain.
  2. SSL Certificate Issuance: Vercel (via Let's Encrypt or ZeroSSL) attempts an HTTP-01 challenge.

The HTTP-01 challenge works by placing a token file at a specific path on your server. The Certificate Authority (CA) tries to download this file via http://yourdomain.com/.well-known/acme-challenge/....

The Problem: If your DNS records (A or CNAME) do not point directly and exclusively to Vercel's Edge Network, the CA cannot find the token. The request times out, and the SSL generation hangs indefinitely. This often happens due to:

  • Proxy layers (like Cloudflare) interfering with the request.
  • Legacy A records pointing to old servers.
  • Misunderstanding the difference between CNAME and A records on the root domain.

Solution 1: Fixing the Apex Domain (Root) Configuration

The most common issue is the "Apex" domain (e.g., example.com without the www).

According to the DNS RFC 1034 standard, you cannot place a CNAME record at the root (Apex) level of a domain. While some providers (like Cloudflare or AWS Route53) offer "CNAME Flattening" or "Alias" records to bypass this, standard DNS requires an A Record for the root.

If you are seeing a 404 on the root domain but the www subdomain works, your A record is likely incorrect or missing.

The Fix

Log into your DNS provider (GoDaddy, Namecheap, AWS, etc.) and ensure the following configuration strictly exists. Delete any other A records pointing to different IPs.

TypeName / HostValue / Points ToTTL
A@ (or blank)76.76.21.21Auto / 3600

Note: 76.76.21.21 is Vercel's global Anycast IP address.

Solution 2: The "Double Proxy" Issue (Cloudflare Users)

If you use Cloudflare as your DNS provider but host on Vercel, you are likely encountering the "Invalid Configuration" error due to Cloudflare's proxy status.

By default, Cloudflare enables the "Orange Cloud" (Proxy enabled) for new records. This means traffic flows Client -> Cloudflare -> Vercel.

However, Vercel attempts to issue an SSL certificate for your domain. Cloudflare also attempts to issue a universal SSL certificate. These two processes often conflict during the initial setup, causing a redirect loop or a validation failure (Error 525 or 526).

The Fix

  1. Open your Cloudflare Dashboard.
  2. Navigate to DNS.
  3. Locate your A record (@) and CNAME record (www).
  4. Toggle the Proxy Status switch from "Proxied" (Orange Cloud) to "DNS Only" (Grey Cloud).
  5. Wait 5 minutes and check Vercel.

Once Vercel verifies the domain and issues the certificate (status turns green), you can technically turn the proxy back on, but for optimal performance, Vercel recommends keeping it "DNS Only" to rely on their own Edge Network caching and firewall.

Solution 3: The Correct www Configuration

For the www subdomain, you should always use a CNAME record. This allows Vercel to handle traffic routing dynamically if their infrastructure changes.

The Fix

Ensure your DNS provider has this exact record:

TypeName / HostValue / Points To
CNAMEwwwcname.vercel-dns.com

Critical Warning: Do not point the CNAME to your-app.vercel.app. While this sometimes works, pointing to cname.vercel-dns.com is the official recommendation for external domains to ensure proper specialized routing and redundancy.

Programmatic Diagnosis: A Node.js Verification Script

Sometimes, DNS caching on your local machine lies to you. dig and nslookup are useful, but writing a script ensures you are seeing what the network sees.

Create a file named verify-dns.mjs and run it to strictly validate your configuration against Vercel's requirements.

import dns from 'node:dns/promises';

const DOMAIN = process.argv[2]; // Usage: node verify-dns.mjs example.com
const VERCEL_IP = '76.76.21.21';
const VERCEL_CNAME = 'cname.vercel-dns.com';

if (!DOMAIN) {
  console.error('❌ Please provide a domain name.');
  process.exit(1);
}

async function verifyVercelDNS() {
  console.log(`🔍 Diagnosing DNS for: ${DOMAIN}\n`);

  try {
    // 1. Check A Record (Root)
    console.log('--- Checking Root A Record ---');
    const aRecords = await dns.resolve4(DOMAIN).catch(() => []);
    
    if (aRecords.length === 0) {
      console.error('❌ No A records found.');
    } else {
      const isCorrect = aRecords.includes(VERCEL_IP);
      if (isCorrect) {
        console.log(`✅ Correct: Found Vercel Anycast IP (${VERCEL_IP})`);
      } else {
        console.warn(`⚠️  Warning: Found incorrect IPs: ${aRecords.join(', ')}`);
        console.warn(`   Expected: ${VERCEL_IP}`);
      }
    }

    // 2. Check WWW CNAME
    console.log('\n--- Checking WWW CNAME Record ---');
    const wwwDomain = `www.${DOMAIN}`;
    // resolveCname throws error if it's not a CNAME (e.g., if it's an A record)
    try {
        const cnameRecords = await dns.resolveCname(wwwDomain);
        const pointsToVercel = cnameRecords.some(r => r.includes('vercel-dns.com'));
        
        if (pointsToVercel) {
             console.log(`✅ Correct: www points to ${cnameRecords[0]}`);
        } else {
             console.warn(`⚠️  Warning: www points to ${cnameRecords[0]}`);
             console.warn(`   Expected: ${VERCEL_CNAME}`);
        }
    } catch (e) {
        // If it fails, check if it's an A record (common mistake)
        const wwwARecords = await dns.resolve4(wwwDomain).catch(() => []);
        if (wwwARecords.length > 0) {
            console.warn(`⚠️  Misconfiguration: 'www' is an A Record pointing to ${wwwARecords[0]}`);
            console.warn(`   Should be a CNAME pointing to ${VERCEL_CNAME}`);
        } else {
            console.error(`❌ Could not resolve 'www' subdomain.`);
        }
    }

  } catch (error) {
    console.error('System Error:', error.message);
  }
}

verifyVercelDNS();

Run this script:

node verify-dns.mjs yourdomain.com

Advanced: Handling Canonical Redirects in Next.js

Once your DNS is green, you may face a logic issue: users can access both example.com and www.example.com. This is bad for SEO (duplicate content).

While Vercel dashboard allows you to redirect www to non-www (or vice versa), doing this within your application configuration creates a portable, immutable infrastructure definition.

In your next.config.js (or next.config.mjs), utilize the redirects function to enforce your preferred domain strategy.

Enforcing Non-WWW (Clean URLs)

This configuration ensures anyone visiting www.example.com is 308 (Permanent) redirected to example.com.

/** @type {import('next').NextConfig} */
const nextConfig = {
  async redirects() {
    return [
      {
        source: '/:path*',
        has: [
          {
            type: 'host',
            value: 'www.yourdomain.com',
          },
        ],
        destination: 'https://yourdomain.com/:path*',
        permanent: true,
      },
    ];
  },
};

export default nextConfig;

Common Pitfalls and Edge Cases

1. The "Remove and Re-add" Strategy

If your settings are correct (verified by the script above) but Vercel still says "Invalid Configuration" after 1 hour, the internal state machine might be stuck.

  1. Go to Vercel Dashboard > Project Settings > Domains.
  2. Remove the domain.
  3. Wait 10 seconds.
  4. Add the domain again. This triggers a fresh ACME challenge request immediately.

2. CAA Records Blocking SSL

Certificate Authority Authorization (CAA) records specify which Certificate Authorities are allowed to issue certificates for your domain. If you migrated from a specialized host, you might have old CAA records allowing only "digicert" or "comodo". Fix: Remove all CAA records or add one permitting Let's Encrypt: 0 issue "letsencrypt.org"

3. DNS Propagation vs. Local Cache

You might update your DNS, but your computer remembers the old IP.

  • Flush DNS (macOS): sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
  • Flush DNS (Windows): ipconfig /flushdns Always check propagation using a global tool like whatsmydns.net rather than just your local browser.

Conclusion

Vercel's "Invalid Configuration" almost always boils down to a strict requirement for network exclusivity. The platform needs to prove you own the domain via HTTP challenge, and it needs a clear path to do so.

By pinning your root A record to 76.76.21.21, setting your CNAME to cname.vercel-dns.com, and ensuring no proxy layers or CAA records are blocking the handshake, you will resolve the error. Once the green checkmarks appear, rely on Next.js config to handle your canonical redirects for a performant, SEO-friendly deployment.

Labels: