a month ago
Hi Railway Team,
I am reaching out regarding my apex domain aureacommkt.com.br (Project: adorable-victory / Service: aurea_commkt_site).
The domain has been stuck in the "Issuing TLS certificate" state since April 13th (~16:30 UTC-3), exceeding the 72h window.
Technical Diagnostics:
- DNS A Record: Pointing to
151.101.2.15(Confirmed viadig). - Verification:
_railway-verifyTXT record is configured and verified (green checkmark). - HTTP/HTTPS Status: HTTP returns 301, but HTTPS fails with
SSL: no alternative certificate subject name matches target host name. - Apex Limitation: My registrar (Registro.br) does not support CNAME on apex, so I am using the required A record.
- Subdomain Status:
www.aureacommkt.com.bris working perfectly via CNAME. - No Blockers: No CAA records are blocking Let's Encrypt, and DNSSEC is active/valid.
Potential Conflict: I see a warning: "You have hit the custom domain limit for your plan". Could this internal limit be blocking the automated certificate issuance for the apex domain?
Attempted Fixes:
- Clicked the re-verify () button multiple times.
- Redeployed the service.
Since the DNS is correctly propagated and verified, could you please manually trigger the TLS issuance for aureacommkt.com.br?
I intend to stay on my current plan and do not wish to change DNS providers.
Sincerely, Regina Gravina
3 Replies
a month ago
Your apex domain's DNS currently has a static A record pointing to 151.101.2.15, but we expect a CNAME (or CNAME-flattened equivalent) pointing to 38eszgol.up.railway.app for certificate issuance to work. Since Registro.br does not support CNAME flattening or ALIAS records on the apex, a static A record will not allow us to issue a TLS certificate. Our docs on adding a root domain describe a workaround: you can change your domain's nameservers to Cloudflare (which supports CNAME flattening), then add a CNAME record for the apex pointing to the Railway-provided value.
Status changed to Awaiting User Response Railway • 30 days ago
Railway
Your apex domain's DNS currently has a static A record pointing to `151.101.2.15`, but we expect a CNAME (or CNAME-flattened equivalent) pointing to `38eszgol.up.railway.app` for certificate issuance to work. Since Registro.br does not support CNAME flattening or ALIAS records on the apex, a static A record will not allow us to issue a TLS certificate. Our [docs on adding a root domain](https://docs.railway.com/networking/domains/working-with-domains#adding-a-root-domain) describe a workaround: you can change your domain's nameservers to Cloudflare (which supports CNAME flattening), then add a CNAME record for the apex pointing to the Railway-provided value.
a month ago
"I understand the CNAME limitation at Registro.br. However, many PAAS providers allow TLS issuance for Apex A Records via HTTP-01 challenge. Is it possible to trigger a manual HTTP-01 validation for my A Record (151.101.2.15) instead of relying on the CNAME check?"
Status changed to Awaiting Railway Response Railway • 29 days ago
a month ago
We don't support manual HTTP-01 validation or any alternative certificate issuance path for apex domains. A CNAME (or CNAME-flattened equivalent) pointing to your Railway-provided value is required for both routing and certificate issuance.
Status changed to Awaiting User Response Railway • 29 days ago
Status changed to Solved regravina • 29 days ago