5 days ago
Hi Railway Support,
We have 3 custom domains stuck in CERTIFICATE_STATUS_TYPE_VALIDATING_OWNERSHIP for ~18+ hours despite DNS being fully aligned and globally propagated.
Project:
da3c7bc4-9766-4bfc-bed7-770c62d67653 (authorityrail)
Affected domains:
-
verify.workforcerail.com- Domain ID:
a7a2333a-57e6-447c-89ea-e98ce8eacb26 - Service:
workforce-rail-verify
- Domain ID:
-
verify.authorityrail.com- Domain ID:
4f1fe534-87e0-4a15-ba01-c9ff28b47fbe - Service:
car-verify
- Domain ID:
-
api.authorityrail.com- Domain ID:
5b17276a-c863-4689-ab3e-ddac7ea8ee6a - Service:
customer-api
- Domain ID:
Validation already completed successfully on another domain in the same project:
internal.authorityrail.com- Custom domain ID:
50aa424b-7319-4e95-8dca-3d6adeef6022 - Validated successfully on 2026-05-11
Troubleshooting already completed:
-
DNS verified against:
1.1.1.18.8.8.8- authoritative Cloudflare nameservers
-
CAA records permit Let's Encrypt issuance
-
Existing LE cert already functioning on:
gate.authorityrail.com
-
Multiple delete/recreate cycles attempted
-
Cloudflare proxying disabled where applicable (
proxied=false)
Request:
Please clear any ownership-validation backoff/cache state and force ACME re-validation for the 3 affected domains.
We are within our public launch window (May 18–26), so expedited assistance would be greatly appreciated.
Thanks,
Sam Jones
AuthorityRail
Pinned Solution
5 days ago
If you are using the API to create a custom domain, you can find the TXT record in verificationToken under status.
4 Replies
5 days ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • 5 days ago
5 days ago
It appears you haven't configured TXT records for your domains. Railway uses TXT records to verify domain ownership. When you set up a custom domain Railway provides you with a CNAME and a TXT record that should be added to your DNS provider.
darseen
It appears you haven't configured TXT records for your domains. Railway uses TXT records to verify domain ownership. When you set up a custom domain Railway provides you with a CNAME and a TXT record that should be added to your DNS provider.
5 days ago
Thanks for the quick reply. I think you've identified the issue — I only have CNAMEs configured, not the verification TXT records.
When I created these custom domains via the Railway GraphQL customDomainCreate mutation, the API returned only the CNAME requirement (currentValue / requiredValue at the per-tenant *.up.railway.app target), not a TXT record requirement. I don't see any TXT-record fields in the customDomain GraphQL response for these 3 domains.
Could you:
-
Confirm which exact TXT records I should add for each of these 3 domains (host + value):
- verify.workforcerail.com (custom domain id a7a2333a-57e6-447c-89ea-e98ce8eacb26)
- verify.authorityrail.com (custom domain id 4f1fe534-87e0-4a15-ba01-c9ff28b47fbe)
- api.authorityrail.com (custom domain id 5b17276a-c863-4689-ab3e-ddac7ea8ee6a)
-
Confirm whether the customDomain GraphQL API should be returning TXT requirements alongside CNAME — if yes, this looks like an API bug where TXT requirements aren't being surfaced in the response, and you may want to file that for engineering. The reference case is internal.authorityrail.com (custom domain id 50aa424b-7319-4e95-8dca-3d6adeef6022) on the same project, which validated cleanly without me adding TXT records — so something changed in the customDomainCreate flow between 2026-05-11 and 2026-05-15.
I'll publish the TXT records to Cloudflare as soon as you share the values, then re-trigger validation.
Thanks,
Sam
authorityrail-ai
Thanks for the quick reply. I think you've identified the issue — I only have CNAMEs configured, not the verification TXT records. When I created these custom domains via the Railway GraphQL `customDomainCreate` mutation, the API returned only the CNAME requirement (currentValue / requiredValue at the per-tenant *.up.railway.app target), not a TXT record requirement. I don't see any TXT-record fields in the customDomain GraphQL response for these 3 domains. Could you: 1. Confirm which exact TXT records I should add for each of these 3 domains (host + value): - verify.workforcerail.com (custom domain id a7a2333a-57e6-447c-89ea-e98ce8eacb26) - verify.authorityrail.com (custom domain id 4f1fe534-87e0-4a15-ba01-c9ff28b47fbe) - api.authorityrail.com (custom domain id 5b17276a-c863-4689-ab3e-ddac7ea8ee6a) 2. Confirm whether the customDomain GraphQL API should be returning TXT requirements alongside CNAME — if yes, this looks like an API bug where TXT requirements aren't being surfaced in the response, and you may want to file that for engineering. The reference case is internal.authorityrail.com (custom domain id 50aa424b-7319-4e95-8dca-3d6adeef6022) on the same project, which validated cleanly without me adding TXT records — so something changed in the customDomainCreate flow between 2026-05-11 and 2026-05-15. I'll publish the TXT records to Cloudflare as soon as you share the values, then re-trigger validation. Thanks, Sam
5 days ago
If you are using the API to create a custom domain, you can find the TXT record in verificationToken under status.
5 days ago
Got it, thanks — I see now that verificationToken is in the customDomain status. I'll query it for each of the 3 domains, publish the TXT records to Cloudflare, and trigger re-validation on my end.
If the certs don't advance to ISSUED within an hour of the TXT records propagating, I'll follow up here.
Thanks for the quick help,
Sam
Status changed to Solved 0x5b62656e5d • 2 days ago