All four domains are proxied through Cloudflare (orange cloud), and our system currently shows each one with a CNAME traffic record status of "requires update" (it can't see through Cloudflare's proxy to detect the target). Certificates for all four are stuck in an "issuing" state rather than issued. This is the root cause: Let's Encrypt HTTP-01 challenges require a plain HTTP request to reach our origin, but Cloudflare's proxy intercepts that path. With Full (Strict) mode on pre-prod, the challenge is additionally blocked because strict mode demands a valid origin cert, which can't exist yet during renewal. The recommended fix is to temporarily disable Cloudflare proxying (grey cloud) on each domain so we can complete the ACME challenge, then re-enable the proxy once certificates show as issued in the dashboard. For ongoing reliability, set Cloudflare to Full (not Full Strict) on all environments. Our SSL troubleshooting docs cover this in detail under the "Toggle Trick" and Cloudflare sections.

Thank you for your answer. I greyed out all proxied CNAMEs and changed the CF settings to Full instead of Full strict. If you can complete the ACME challange? Thanks in advance

Try removing related DNS records from your DNS provider and Railway, wait ~10-15 mins, and see if the certificates get re-issued.