12 days ago
Update — I performed a complete cleanup test to rule out any state-related cause:
1. Deleted all 5 stuck customDomains on this project (atlas.bluewhalestack.com, *.atlas.bluewhalestack.com, app.bluewhalestack.com, console.bluewhalestack.com, portal.bluewhalestack.com).
2. Deleted the corresponding 6 CNAME records in GoDaddy DNS (atlas, *.atlas, _acme-challenge.atlas, app, console, portal). Verified all gone via DNS-over-HTTPS to Google + direct query to ns57.domaincontrol.com.
3. Created two completely fresh customDomains on the same project bluewhale-enterprise (24db3b95-268e-4052-aed2-aebc260cd8c6), web service (ccfd443e-2781-45d6-9273-9b961cf17485):
- enterprise.bluewhalestack.com — customDomain id 232c2861-e6cf-463a-8c6c-ab5e8b6c5b04, target 8g1i3kml.up.railway.app
- standard.bluewhalestack.com — customDomain id d000d7fb-da4d-4f1f-83f4-8f1c53d033d4, target 6gfheauw.up.railway.app
4. Added matching CNAMEs in GoDaddy. Verified DNS PROPAGATED on Railway's side within 30 seconds. Polled cert state every 15s for 6 minutes.
Result: BOTH stuck in CERTIFICATE_STATUS_TYPE_VALIDATING_OWNERSHIP. certificates: []. HTTPS handshake fails (code 000). Railway edge serves CN = *.up.railway.app for both hostnames instead of issuing domain-specific certs.
This rules out:
- DNS configuration issues (verified clean via 4 paths)
- Conflicting / stale customDomain entries (we deleted everything)
- Conflicting GoDaddy records (we cleaned those too)
- LE rate limit on specific domain (these are brand-new FQDNs)
The cert provisioning queue for project 24db3b95-268e-4052-aed2-aebc260cd8c6 is structurally not progressing ACME flow for any new customDomain. We have now reproduced this on 6 separate hostnames today (atlas, *.atlas, app, console, portal — all deleted — plus the fresh enterprise + standard).
Customer impact remains: production integrations that were calling https://atlas.bluewhalestack.com are failing. The previous valid cert for atlas (Mar 6 → Jun 4 2026 in CT logs) was lost during this incident.
Please escalate to your infrastructure team to investigate the cert manager queue for this project. Happy to share GraphQL trace IDs or run additional probes.
Reachable: abhishek.pangerkar@bluewhalestack.com2 Replies
12 days ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • 12 days ago
12 days ago
You're getting CERTIFICATE_STATUS_TYPE_VALIDATING_OWNERSHIP because you haven't configured your TXT record. Railway uses TXT records to verify domain ownership. When you add your custom domain, Railway provides you with both a CNAME and a TXT record that you need to add to complete the custom domain setup.
12 days ago
Additionally, for example, The TXT record should be added to _railway-verify.enterprise.bluewhalestack.com .You can access the TXT content through the verificationToken property under status.