By default, we require wildcard domains to use Vercel nameservers to issue TLS certificates (and renew them automatically).
See: Why must we use the Domain Nameservers method for Wildcard Domains on Vercel? for more details.
Workaround
Step 1 - Create NS records
If you can't change your apex domain's nameservers (e.g., your DNS provider doesn't allow it), you can create NS records on _acme-challenge subdomain instead as a secondary option.
For example, if you add *.acme.com to your project domains, you can create NS records listed below:
Record Type | Name | Value |
|---|---|---|
|
|
|
|
|
|
Similarly, if you add *.foo.acme.com, you can add NS records for _acme-challenge.foo subdomain.
This can be used to delegate the _acme-challenge subdomain to Vercel nameservers, and other subdomains continue to use the current DNS provider's name servers as before.
Please note: Using this method may prevent other hosting providers from creating certificates for their service and should only be used if you cannot change your name servers.
Step 2 - Enable Vercel DNS
Go to the Domains page and select the Apex domain. Then, click the Enable Vercel DNS button to activate the Vercel DNS.
