Custom Domain Works on Vercel but Not Firebase (2026 Fix)

Same domain binds fine on Vercel but Firebase Hosting stays Pending or never gets SSL. The exact DNS records Firebase needs, what to remove, and how to confirm the fix.

You pointed a domain at Vercel and it just worked. The same domain on Firebase Hosting sits at Needs setup / Pending, or it verifies but the SSL certificate never finishes provisioning.

Fastest fix: remove the domain from Vercel, then in the Firebase console use Add custom domain and copy its records exactly — first the TXT ownership record, then the A and AAAA records Firebase shows after verification. Delete every old Vercel-era A, AAAA, and CNAME record on the apex, and (if you use Cloudflare) set those records to DNS only (grey cloud) until SSL is issued. Then wait — provisioning can take up to 24 hours, though it’s usually under an hour.

The reason this surprises people: Vercel abstracts most of the DNS work and is forgiving about leftover records. Firebase is strict, like AWS — it hands you exact values and refuses to provision a certificate if anything conflicts. As of June 2026 Firebase Hosting also requires you to remove stray AAAA records, not just A/CNAME, which is the single most common reason a “Vercel-style” setup that looks right still fails.

Which bucket are you in?

Symptom in the Firebase consoleMost likely causeJump to
Stuck on Needs setup, Verify keeps failingTXT record missing, wrong, or not propagatedStep 3
Verified, but status stays Pending and no SSLOld Vercel A/AAAA/CNAME still present, or CAA blocks the CASteps 4-5
Pending even though A/AAAA look rightCloudflare proxy on, or a CAA record that omits the CASteps 5-6
Domain shows as claimed elsewhereSame domain added to another Firebase projectCause 6
Everything correct, still no cert after 48hFirebase-side queue; open a support ticketWhen this is not on you

Common causes

Ordered by hit rate, highest first.

1. Old Vercel records still present (including AAAA)

The classic miss. You add Firebase’s A records but leave the old apex records pointing at Vercel, so DNS still returns Vercel’s IP. Firebase explicitly requires you to remove all A, AAAA, and CNAME records that point to other providers; their presence blocks certificate provisioning.

How to spot it:

dig +short A yourdomain.com
dig +short AAAA yourdomain.com

If you see Vercel’s 76.76.21.21 (or any IPv6 from your old host) in the output, you have a stale record. Firebase’s IPs are Google-owned (the wizard currently shows values such as 199.36.158.100, but always copy the exact pair from your console).

2. Wrong A/AAAA values — Firebase gives you the exact ones

Firebase does not accept arbitrary IPs. The Add custom domain wizard shows the specific A and AAAA records for your project. Vercel’s 76.76.21.21 will never work, and IPs copied from old blog posts (the legacy Fastly 151.101.x.x pair) are out of date — use only what your console shows.

How to spot it: Firebase Console → Hosting → your domain → the records panel lists the exact A and AAAA values. Compare them to your live DNS.

3. TXT verification record not added or not propagated

Firebase requires a TXT record on the apex to prove ownership before it will verify the domain. If it’s missing or hasn’t propagated, Verify fails. Keep this TXT record in place permanently — Firebase uses it to authorize certificate renewals, not just the first issuance.

How to spot it:

dig +short TXT yourdomain.com

You should see Firebase’s verification string. Nothing returned = not added or not propagated yet.

4. CAA record blocks the certificate authority

Firebase mints certificates from Let’s Encrypt and Google Trust Services. If you have any CAA record, it must permit both certificate authorities. A CAA record that only lists a different CA (or only letsencrypt.org without pki.goog) will silently block issuance.

How to spot it:

dig +short CAA yourdomain.com

If CAA records exist, they must include letsencrypt.org and pki.goog. No CAA record at all is fine — the default allows both.

5. Cloudflare proxy interferes during initial verification

Cloudflare’s orange-cloud proxy hides your real records behind Cloudflare IPs, so Firebase’s verifier and CA challenge can’t see what they need. Verification or first SSL issuance fails.

How to spot it: Cloudflare → DNS → if the apex records show the orange (proxied) cloud during Firebase setup, switch them to DNS only (grey) until the cert is live.

6. Same domain claimed by another Firebase project

A domain can only be held by one Firebase project. If you (or a teammate) added it elsewhere, the new project can’t claim it.

How to spot it: Check your other Firebase projects’ Hosting pages and remove the domain everywhere except the project you actually want.

Shortest path to fix

Step 1: Remove the domain from Vercel first

Vercel project → Settings → Domains → remove yourdomain.com. This releases Vercel’s claim and stops it from re-asserting records.

Step 2: Add the domain in Firebase

Firebase Console → HostingAdd custom domain → enter yourdomain.com.

Choose the right wizard:

  • Quick setup — for a new domain, or one whose traffic you don’t mind cutting over immediately.
  • Advanced setup — for a live site that’s still serving from another host. It establishes the SSL certificate and ownership before you flip DNS, giving a zero-downtime migration. Pick this if the domain is currently in production.

Firebase then shows a TXT ownership record and, after verification, the A and AAAA records to point at Hosting.

Step 3: Add the TXT record and verify

In your DNS provider, add the TXT record exactly as Firebase shows it on the apex (@ / blank host). Set TTL to 300-600 so changes propagate quickly.

Wait a few minutes, confirm it’s live with dig +short TXT yourdomain.com, then click Verify in the console. (If Verify errors, the record hasn’t propagated or a value is wrong — recheck before retrying.)

Step 4: Add the A and AAAA records, remove the old ones

After verification Firebase displays its A and AAAA records (usually two A values, and AAAA for IPv6). Add all of them on the apex with TTL 300.

Then delete every leftover A, AAAA, and CNAME on the apex that pointed to Vercel or any other host. This step is mandatory — leftover records block the certificate.

Step 5: Check CAA records

dig +short CAA yourdomain.com

If any CAA records exist, make sure they allow letsencrypt.org and pki.goog. If you have no CAA record, leave it that way — the default permits both.

Step 6: Set Cloudflare records to DNS only

If you use Cloudflare, switch the apex A/AAAA records to DNS only (grey cloud) for setup. After the certificate is issued and the site loads over HTTPS, you can re-enable the proxy.

Step 7: Wait for SSL provisioning — don’t churn

Firebase documents “up to 24 hours” and most domains finish within an hour. Do not repeatedly delete and re-add the domain; that resets the provisioning queue and makes it slower.

Step 8: Confirm it’s fixed

curl -sI https://yourdomain.com | head -3

A valid setup returns HTTP/2 200 with a trusted certificate (no warning). For a deeper check, confirm the cert issuer and DNS values with Google’s Admin Toolbox Dig and:

curl -svo /dev/null https://yourdomain.com 2>&1 | grep -i "issuer\|subject"

The issuer should be Let’s Encrypt or Google Trust Services, and the subject should match your domain.

When this is not on you

If the records are verified and correct (right A/AAAA, no conflicts, CAA allows the CA, no proxy) and there’s still no certificate after 48 hours, it’s a Firebase-side queue issue. Open a ticket via Firebase Support with your project ID and domain. Don’t keep re-adding the domain while you wait.

Easy to misdiagnose as

The trap is assuming “DNS is DNS” and that Vercel’s working setup transfers as-is. It doesn’t. Each platform publishes its own required values and tolerances — Vercel hides the AAAA/CAA details that Firebase enforces. Follow Firebase’s wizard exactly; never substitute IPs from another vendor’s docs or an old tutorial.

Prevention

  • Remove old hosting records and bindings before switching providers, not after.
  • Strip all four record types on the apex when migrating: A, AAAA, CNAME, and any stale TXT.
  • Use the Advanced setup wizard for live domains so SSL is ready before you cut over.
  • Verify TXT, A, and AAAA propagation with dig +short before clicking Verify.
  • Keep Cloudflare records on “DNS only” until the certificate is issued.
  • Copy Firebase’s exact IPs from the console — never approximate or reuse old values.

FAQ

  • Why does Firebase need specific IPs when Vercel didn’t? Firebase routes traffic through Google’s CDN on fixed anycast A/AAAA addresses tied to your project, and it provisions per-domain certificates that depend on those exact records. Vercel abstracts this behind its platform, so it tolerates more variation.
  • Do I really have to delete AAAA records? Yes. As of June 2026 Firebase blocks certificate provisioning if any AAAA (IPv6) record points to another provider, even when your A records are correct. This is the most common “looks right but won’t issue” cause.
  • Can I keep the Cloudflare proxy on? Not during setup. Use “DNS only” (grey cloud) until the certificate is live, then re-enable the orange-cloud proxy if you want Cloudflare’s CDN/WAF in front.
  • How long should SSL take? Up to 24 hours per Firebase’s docs, usually under an hour. If it’s still pending after 48 hours with correct records, it’s a Firebase-side issue — contact support rather than re-adding the domain.
  • Do I need a CAA record? No. If you have none, Firebase’s CAs are allowed by default. Only add one if you already restrict issuance, and then include both letsencrypt.org and pki.goog.

Tags: #Domain #DNS #SSL #Troubleshooting #Vercel #Firebase