19 days ago
Wildcard *.karute.app stuck on "Certificate Authority is validating challenges" — need manual reset
DNS fully propagated
_acme-challenge.karute.app → gic4aewh.authorize.railwaydns.net
*.karute.app → gic4aewh.up.railway.app
This is my 3rd attempt, previous two failed with "Failed to issue TLS certificate - Internal Error"
Stuck for 2+ hour each time despite correct DNS
2 Replies
Status changed to Open Railway • 19 days ago
19 days ago
I think this is a DNS validation issue, not just Railway being slow.
I checked the public records just now. The Railway CNAME is present:
_acme-challenge.karute.app -> gic4aewh.authorize.railwaydns.net
But Google DNS is also still returning old TXT challenge values directly for _acme-challenge.karute.app:
SlwRH86qH5gXLUPqLVH2qtUEpiIXEDAQRgjnwqomhx8
iXHFk2WKqwLC1GQKlYuOEeimXWvE-PM39-rcuPfLNos
The current Railway target returns a different TXT value:
gic4aewh.authorize.railwaydns.net -> kPkzdSn1Iv2SqYs5mi3BPvwhwQYAdlbikx15IrQmdS4
So some resolvers may be seeing stale/direct TXT records at _acme-challenge.karute.app instead of the TXT value behind Railway's CNAME. That would explain repeated ACME failures even though the CNAME itself looks right.
What I would do:
- In your DNS provider, delete any TXT records named
_acme-challenge/_acme-challenge.karute.app. - Leave only this CNAME:
_acme-challenge -> gic4aewh.authorize.railwaydns.net. - Leave the wildcard app record:
* -> gic4aewh.up.railway.app. - Wait for the 300s TTL to clear, then remove and re-add/retry the wildcard domain in Railway so it starts a fresh cert check.
Quick checks:
nslookup -type=CNAME _acme-challenge.karute.app 8.8.8.8
nslookup -type=TXT _acme-challenge.karute.app 8.8.8.8
nslookup -type=TXT gic4aewh.authorize.railwaydns.net 8.8.8.8
The TXT result for the challenge name should line up with Railway's target value, not the two older values above.
curlymolelabs
I think this is a DNS validation issue, not just Railway being slow. I checked the public records just now. The Railway CNAME is present: `_acme-challenge.karute.app -> gic4aewh.authorize.railwaydns.net` But Google DNS is also still returning old TXT challenge values directly for `_acme-challenge.karute.app`: `SlwRH86qH5gXLUPqLVH2qtUEpiIXEDAQRgjnwqomhx8` `iXHFk2WKqwLC1GQKlYuOEeimXWvE-PM39-rcuPfLNos` The current Railway target returns a different TXT value: `gic4aewh.authorize.railwaydns.net -> kPkzdSn1Iv2SqYs5mi3BPvwhwQYAdlbikx15IrQmdS4` So some resolvers may be seeing stale/direct TXT records at `_acme-challenge.karute.app` instead of the TXT value behind Railway's CNAME. That would explain repeated ACME failures even though the CNAME itself looks right. What I would do: 1. In your DNS provider, delete any TXT records named `_acme-challenge` / `_acme-challenge.karute.app`. 2. Leave only this CNAME: `_acme-challenge -> gic4aewh.authorize.railwaydns.net`. 3. Leave the wildcard app record: `* -> gic4aewh.up.railway.app`. 4. Wait for the 300s TTL to clear, then remove and re-add/retry the wildcard domain in Railway so it starts a fresh cert check. Quick checks: `nslookup -type=CNAME _acme-challenge.karute.app 8.8.8.8` `nslookup -type=TXT _acme-challenge.karute.app 8.8.8.8` `nslookup -type=TXT gic4aewh.authorize.railwaydns.net 8.8.8.8` The TXT result for the challenge name should line up with Railway's target value, not the two older values above.
19 days ago
Resolved! The issue was stale TXT records cached in DNS that were interfering with Let's Encrypt validation, even though Cloudflare's interface showed no TXT records for _acme-challenge.
What fixed it:
Confirmed Cloudflare's nameservers were clean using nslookup -type=TXT _acme-challenge.karute.app kurt.ns.cloudflare.com — they were only returning the CNAME, no stale TXT values
Waited for Google DNS (8.8.8.8) and Cloudflare DNS (1.1.1.1) cache to fully expire for the old TXT values
Removed *.karute.app from Railway completely
Re-added the domain — Railway generated fresh values (wxt6ny9u.authorize.railwaydns.net)
Updated both CNAMEs in Cloudflare with the new values
Verified propagation with nslookup -type=CNAME _acme-challenge.karute.app kurt.ns.cloudflare.com
Certificate issued successfully
Key takeaway: If you're stuck on "Certificate Authority is validating challenges" despite correct DNS, check for stale TXT records at _acme-challenge using direct nameserver queries. The Cloudflare UI may not show them but they can still interfere with ACME validation. Waiting for cache to fully clear before retrying makes all the difference.
Thanks for the diagnosis — pointing out the stale TXT values was exactly what led to the fix! 🙏
Status changed to Solved antoniourieta • 19 days ago