The main reason for Vercel not automatically generating an SSL certificate for your domain is because of an incorrect or conflicting CAA record. Domains with the correct CAA record will always have the value 0 issue "letsencrypt.org" without any other CAA records being present.

Verifying the CAA Record

You can verify your domain is using the correct CAA record by checking with whatsmydns.net. If your CAA record is incorrect, or another is present, we recommend you remove it and/or add the correct CAA record via our DNS UI. This can be accessed by clicking on your domain from your Vercel account domain's dashboard.

The DNS UI with default records.

You may also use the DNS UI to remove and add your CAA records.

The "Delete" option highlighted for a given record.

If you have followed the instructions above successfully, your domain should now automatically generate a SSL certificate.

Note: To establish the record-id, use the vercel dns ls command.

Vercel Support

For any further questions or concerns, please contact Vercel Support using the support form available from the Vercel dashboard. You can also directly email support@vercel.com.