Your CNAME and verification records are correctly configured, but public DNS also shows an A record (151.101.2.15) on awoken.dev that does not belong to us. This conflicting A record can prevent the certificate from issuing because ACME validation traffic may be routed to that IP instead of our servers. Remove the A record for awoken.dev in your Namecheap DNS settings so only the CNAME remains.

There's no A record configured on the domain.

I have a CNAME (railway), TXT (railway validation), DKIM, SPF and DMARC (TXT). Those are the only dns records configured.

Your CNAME and TXT verification records are correct, and the domain is verified on our side, but the certificate is stuck because public DNS still resolves an A record (151.101.2.15) for awoken.dev alongside the CNAME. Since this is a root/apex domain on Namecheap's default nameservers (registrar-servers.com), this A record is likely a residual parking/default record that Namecheap's BasicDNS serves automatically, even though you didn't explicitly create it. Check your Namecheap Advanced DNS panel for any "URL Redirect Record" or "A Record" entries for the host "@" and remove them. If the record persists and can't be deleted, switching your nameservers to Cloudflare (which properly supports CNAME flattening at the apex) would resolve this. Also, please avoid deleting and re-adding the domain further, as Let's Encrypt enforces rate limits that could block certificate issuance for up to 7 days.

There's no A record configured in DNS.

We understand you didn't add it yourself. The A record (151.101.2.15) is being served automatically by Namecheap's BasicDNS nameservers (registrar-servers.com) - it's a default parking record that won't appear as a user-created record in your panel. You have two options: contact Namecheap support and ask them to remove the default A record on your apex domain, or switch your nameservers to Cloudflare (free plan), which properly supports CNAME flattening at the apex and won't inject a parking A record.