You moved a site from Vercel to Firebase Hosting. Vercel worked perfectly; same domain in Firebase shows “Pending verification” forever, or verifies but SSL never finishes provisioning. The difference: Firebase requires very specific DNS records that Vercel doesn’t need. Vercel is lenient and abstracts a lot of the DNS work; Firebase is more like AWS — it gives you exact IP and TXT values and rejects anything that doesn’t match. The fix is following Firebase’s wizard precisely and removing any Vercel-era records that conflict.
Common causes
Ordered by hit rate, highest first.
1. Wrong A records — Firebase requires specific IPs
Firebase doesn’t accept any IP; it gives you a specific pair (e.g., 151.101.1.195 and 151.101.65.195 historically, though these change). Vercel’s 76.76.21.21 won’t work for Firebase.
How to spot it: Firebase Console → Hosting → your domain → check “What we need” section for exact IPs. Compare to what’s in your DNS.
2. Old Vercel records still present
You forgot to delete the old A record pointing to Vercel before adding Firebase’s. DNS now has both, returning Vercel’s IP often.
How to spot it:
dig yourdomain.comIf results include Vercel’s IP (76.76.21.21), you have a stale record.
3. TXT verification record not added or not propagated
Firebase requires a TXT record at the apex for verification. If you skipped it or it hasn’t propagated, verification fails.
How to spot it:
dig TXT yourdomain.com | grep -i firebaseShould show Firebase’s verification string.
4. CAA record blocks Let’s Encrypt
Firebase uses Let’s Encrypt. Your CAA records (if any) must allow it.
How to spot it:
dig CAA yourdomain.comIf you have CAA records, ensure letsencrypt.org is allowed.
5. Cloudflare proxy interferes during initial verification
Cloudflare’s proxy obscures DNS for Firebase’s verification crawler. Verification fails.
How to spot it: Cloudflare → DNS → if proxied (orange cloud) on the domain during Firebase verification, disable temporarily.
6. Multiple Firebase projects competing
You added the same domain to two Firebase projects. Only one can hold it.
How to spot it: Firebase Console → check other projects you might have. Remove from all but one.
Shortest path to fix
Step 1: Remove the domain from Vercel first
In Vercel project → Domains → remove yourdomain.com. This releases Vercel’s claim on the domain and removes any Vercel-side conflicts.
Step 2: In Firebase Console, add the domain
Firebase → Hosting → Add custom domain → enter yourdomain.com. Firebase displays:
- A required TXT record for verification (at apex)
- After verification: the specific A records you must set
Step 3: Add TXT record at DNS provider
In your DNS provider, add the TXT record exactly as Firebase shows. Set TTL to 300 or 600.
Wait 5-10 minutes for propagation. In Firebase Console, click “Verify.” Should succeed.
Step 4: Add the A records Firebase gives
After verification, Firebase shows the A records (usually 2 IPs). Add both at the apex, with TTL 300.
Delete any old A records from Vercel era.
Step 5: Check CAA records
dig CAA yourdomain.comIf you have CAA, ensure they include letsencrypt.org or are empty. If restrictive, add or remove as needed.
Step 6: Disable Cloudflare proxy temporarily
If using Cloudflare, set DNS records to “DNS only” (grey cloud) during initial Firebase setup. After SSL is issued, you can re-enable proxy.
Step 7: Wait for SSL provisioning
Firebase says “up to 24 hours” but usually 15 minutes to a few hours. Don’t repeatedly delete and re-add — that resets the queue.
Step 8: Verify
curl -sI https://yourdomain.com | head -3Should be HTTP/2 200 with valid cert.
When this is not on you
Firebase SSL provisioning is documented to take “up to 24 hours” but often takes 30 minutes. If it’s stuck after 48 hours with verified records, contact Firebase support with project ID and domain.
Easy to misdiagnose as
People assume “DNS is DNS” and Vercel’s record format works elsewhere. It doesn’t. Each platform has its own DNS expectations — follow the platform’s wizard exactly, don’t substitute values from other docs.
Prevention
- Document the exact DNS state required by each hosting platform in your
domain-setup.md. - Remove old hosting records and bindings BEFORE switching to new hosting.
- Don’t use Cloudflare proxy during initial Firebase setup; re-enable after SSL is provisioned.
- Verify TXT and A records propagated via
digbefore clicking Verify in Firebase. - Use Firebase’s exact IPs and CNAME values; don’t approximate.
FAQ
- Why does Firebase need specific IPs? Their CDN infrastructure routes traffic via specific anycast IPs. Generic CNAMEs don’t fit their model.
- Can I use Cloudflare proxy with Firebase? Yes, after initial setup. During verification and first SSL issuance, disable proxy.