17 days ago
Wildcard domain *.montiplanet.eu is stuck — Railway is not placing a TXT record at i810sbbg.authorize.railwaydns.net. DNS delegation via _acme-challenge CNAME is correctly configured. dig TXT i810sbbg.authorize.railwaydns.net returns NODATA (ANSWER: 0). All domains under this wildcard return 525 because origin has no certificate for the custom hostname.
I see the same threads but I suppose that readding is not a good choice to resolve this issue
5 Replies
17 days ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • 17 days ago
17 days ago
The same is for *.montiplanet.be
17 days ago
Or re-adding is a single way if my previous config was wrong with proxied _acme CNAME record. When I changed it to DNS only it was fixed but now this is broken again as it was broken before.
17 days ago
I think you can check these steps
1. Fix the _acme-challenge record (most common cause)
- In Cloudflare DNS, find the
_acme-challengeCNAME record that Railway gave you. - Set its proxy status to DNS only (grey cloud). It must not be proxied (orange cloud).
- Check that the target (value) matches exactly what Railway shows in your domain settings.
2. Set Cloudflare SSL mode to “Full”
- In Cloudflare → SSL/TLS → Overview, choose Full (not Full (Strict), not Flexible).
3. Toggle your main domain record
- Temporarily set your main domain’s CNAME (or A record) to DNS only (grey cloud).
- Wait 2–3 minutes, then turn the proxy back on (orange cloud). This often forces a fresh SSL setup.
4. Wait a bit, then test
- New certificates can take a few minutes (rarely up to an hour).
- Open your site in an Incognito window or another browser to avoid cache issues.
5. Avoid these pitfalls
- Don’t delete and re-add the domain repeatedly — it can trigger a Let’s Encrypt rate limit that blocks you for a week.
- Don’t use “Full (Strict)” unless you have a custom origin certificate (you almost certainly don’t need it with Railway).
ekf0
I think you can check these steps **1\. Fix the** `_acme-challenge` **record (most common cause)** * In Cloudflare DNS, find the `_acme-challenge` CNAME record that Railway gave you. * Set its **proxy status to DNS only (grey cloud)**. It must **not** be proxied (orange cloud). * Check that the target (value) matches exactly what Railway shows in your domain settings. **2\. Set Cloudflare SSL mode to “Full”** * In Cloudflare → **SSL/TLS → Overview**, choose **Full** (not Full (Strict), not Flexible). **3\. Toggle your main domain record** * Temporarily set your main domain’s CNAME (or A record) to **DNS only (grey cloud)**. * Wait 2–3 minutes, then turn the proxy back **on (orange cloud)**. This often forces a fresh SSL setup. **4\. Wait a bit, then test** * New certificates can take a few minutes (rarely up to an hour). * Open your site in an **Incognito window** or another browser to avoid cache issues. **5\. Avoid these pitfalls** * Don’t delete and re-add the domain repeatedly — it can trigger a Let’s Encrypt rate limit that blocks you for a week. * Don’t use “Full (Strict)” unless you have a custom origin certificate (you almost certainly don’t need it with Railway).
17 days ago
Thanks. I checked everything prior to contacting this support. My AI agent recommended the same but everything is correct.
16 days ago
Without answers I needed to re-add my wildcard subdomains and will keep an eye on this issue. It will be good to get some confirmation that everything works and this won't get back