a month ago
Your connection is not private
Attackers might be trying to steal your information from xxxxx.com (for example, passwords, messages or credit cards). Learn more about this warning
net::ERR_CERT_COMMON_NAME_INVALID
I think I'm being attacked - but this happened yesterday too but they came back online. Can Railway look into this?
HTTPS cert issue. Multiple domains.
This is going to cause rank issues on google, because my sites are offline...
20 Replies
a month ago
This thread has been opened as a public bounty so the community can help solve it. The thread and any further activity are now visible to everyone.
Status changed to Open Railway • about 1 month ago
a month ago
If this issue isn't solved quickly I will change providers. Unacceptable. I requested private assistance
a month ago
After seeing that 2 other people are having issues this just confirms it's a railway issue. Are you going to compensate us for downtime? How does it look to google that all of my sites have no certificate? for hours and multiple days.
Status is saying there are no lets encrypt issues https://status.railway.com/
a month ago
You're not being attacked — your data is safe. This is ERR_CERT_COMMON_NAME_INVALID, which is a certificate name mismatch, not a breach. The certificate being served is a real, valid Let's Encrypt cert — the problem is that Railway's edge is presenting the wildcard certificate (*.nahltime.com) for a bare apex domain (e.g. yourdomain.com), and a wildcard doesn't cover the root name, so the browser refuses it. No attacker, no stolen passwords — just the wrong cert bound to the domain.
Root cause: This is a confirmed Railway platform bug. Railway's edge intermittently binds the wildcard cert to the apex SNI even though the correct apex certificate was issued (you can see it in the CT logs). Another Railway PRO user hit this identically (the public bounty thread on certified.one). Removing and re-adding the domain only fixes it for a few hours and burns the Let's Encrypt 5-certs-per-week limit — so don't keep doing that; it'll lock you out of issuing the apex cert for a week.
The reliable fix (already applied and confirmed working on our main domain):
Put each affected apex domain on Cloudflare and set the apex record to Proxied (orange cloud). Cloudflare terminates TLS with its own apex-valid cert and bypasses Railway's broken edge.
Cloudflare DNS-only (grey cloud) does NOT work — the browser still hits Railway's edge and gets the wildcard.
Set Cloudflare SSL/TLS mode = "Full" (not "Full (strict)" — Railway's origin only presents the wildcard, which strict mode would reject).
Keep all subdomains (www, app, tenant subdomains) DNS-only/grey so they keep using Railway's wildcard unchanged.
On Google rankings: A transient TLS handshake error does not cause a ranking penalty. Googlebot retries failed crawls automatically and there's no content/quality demotion for a temporary cert error — once the cert serves correctly, crawling and rankings recover on their own. The priority is just to get each apex behind Cloudflare so it stops recurring.
a month ago
I'm not using cloudflare
a month ago
Railway has cut off my sites two days in a row for hours, there will be a penalty 100%. Not to mention it looks unprofessional as fuck
a month ago
Canceling my plan. Go fuck yourselves.
Enjoy your 1 star review.
a month ago
Canceled PRO plan. I expect a refund for the past 2 days of outages I don't see why I should have to pay when you have cost me downtime and wasted hours on these projects that I will have to host elsewhere.
Attachments
bitcoindevelopment
Canceled PRO plan. I expect a refund for the past 2 days of outages I don't see why I should have to pay when you have cost me downtime and wasted hours on these projects that I will have to host elsewhere.
a month ago
I think I understand the fix the guy is saying and am going to implement it on mine and see I will update you and let you know how it goes
a month ago
same garbage is happening to my domain.
madcats1337
same garbage is happening to my domain.
a month ago
I can help you fix it
simplitech-code
I can help you fix it
a month ago
no you cant, its a railway related issue.
madcats1337
no you cant, its a railway related issue.
a month ago
I had the same issue and i got it fixed via using cloudflaire to connect the domain to railway
simplitech-code
I had the same issue and i got it fixed via using cloudflaire to connect the domain to railway
a month ago
not using cloudflare
madcats1337
not using cloudflare
a month ago
I was not using it too but I have to manage the situation via that
simplitech-code
I was not using it too but I have to manage the situation via that
a month ago
post the fix here then
a month ago
create cloudflaire account and route your domain through it to railway and you will be Good
simplitech-code
create cloudflaire account and route your domain through it to railway and you will be Good
a month ago
not working.
a month ago
It’s working
simplitech-code
create cloudflaire account and route your domain through it to railway and you will be Good
a month ago
I shouldn't have to be forced to use a third party like cloudflare. I've given railway lots of money it's unacceptable. I've cancelled my account and looking for alternatives the customer support is a joke.
a month ago
Hello,
We had discovered an issue which would've affected services that have both a wildcard and exact-matching SAN for the same second-level domain, on the same service. We have been migrating traffic to our new edge network over the past week, which had tree lookup logic that erroneously preferred the wildcard certificate over the exact match, specifically if the exact-matching SAN was generated/renewed after the wildcard certificate.
We have since rolled out a fleet-wide patch to this issue, and added regression testing to make sure this doesn't happen again. We apologize for the inconvenience - please let me know if you have any further questions.
Status changed to Solved dizzydes90 • about 1 month ago