Connection is not private. All of my sites are offline. HTTPS cert issue
bitcoindevelopment
PROOP

a month ago

Your connection is not private

Attackers might be trying to steal your information from xxxxx.com (for example, passwords, messages or credit cards). Learn more about this warning

net::ERR_CERT_COMMON_NAME_INVALID

I think I'm being attacked - but this happened yesterday too but they came back online. Can Railway look into this?

HTTPS cert issue. Multiple domains.

This is going to cause rank issues on google, because my sites are offline...

Solved$20 Bounty

20 Replies

Railway
BOT

a month ago

This thread has been opened as a public bounty so the community can help solve it. The thread and any further activity are now visible to everyone.

Status changed to Open Railway about 1 month ago


bitcoindevelopment
PROOP

a month ago

If this issue isn't solved quickly I will change providers. Unacceptable. I requested private assistance


bitcoindevelopment
PROOP

a month ago

After seeing that 2 other people are having issues this just confirms it's a railway issue. Are you going to compensate us for downtime? How does it look to google that all of my sites have no certificate? for hours and multiple days.

Status is saying there are no lets encrypt issues https://status.railway.com/


alialabdrabulrasul
PRO

a month ago

You're not being attacked — your data is safe. This is ERR_CERT_COMMON_NAME_INVALID, which is a certificate name mismatch, not a breach. The certificate being served is a real, valid Let's Encrypt cert — the problem is that Railway's edge is presenting the wildcard certificate (*.nahltime.com) for a bare apex domain (e.g. yourdomain.com), and a wildcard doesn't cover the root name, so the browser refuses it. No attacker, no stolen passwords — just the wrong cert bound to the domain.

Root cause: This is a confirmed Railway platform bug. Railway's edge intermittently binds the wildcard cert to the apex SNI even though the correct apex certificate was issued (you can see it in the CT logs). Another Railway PRO user hit this identically (the public bounty thread on certified.one). Removing and re-adding the domain only fixes it for a few hours and burns the Let's Encrypt 5-certs-per-week limit — so don't keep doing that; it'll lock you out of issuing the apex cert for a week.

The reliable fix (already applied and confirmed working on our main domain):

Put each affected apex domain on Cloudflare and set the apex record to Proxied (orange cloud). Cloudflare terminates TLS with its own apex-valid cert and bypasses Railway's broken edge.

Cloudflare DNS-only (grey cloud) does NOT work — the browser still hits Railway's edge and gets the wildcard.

Set Cloudflare SSL/TLS mode = "Full" (not "Full (strict)" — Railway's origin only presents the wildcard, which strict mode would reject).

Keep all subdomains (www, app, tenant subdomains) DNS-only/grey so they keep using Railway's wildcard unchanged.

On Google rankings: A transient TLS handshake error does not cause a ranking penalty. Googlebot retries failed crawls automatically and there's no content/quality demotion for a temporary cert error — once the cert serves correctly, crawling and rankings recover on their own. The priority is just to get each apex behind Cloudflare so it stops recurring.


bitcoindevelopment
PROOP

a month ago

I'm not using cloudflare


bitcoindevelopment
PROOP

a month ago

Railway has cut off my sites two days in a row for hours, there will be a penalty 100%. Not to mention it looks unprofessional as fuck


bitcoindevelopment
PROOP

a month ago

Canceling my plan. Go fuck yourselves.

Enjoy your 1 star review.

https://uk.trustpilot.com/review/railway.com?stars=1


bitcoindevelopment
PROOP

a month ago

Canceled PRO plan. I expect a refund for the past 2 days of outages I don't see why I should have to pay when you have cost me downtime and wasted hours on these projects that I will have to host elsewhere.

Attachments


bitcoindevelopment

Canceled PRO plan. I expect a refund for the past 2 days of outages I don't see why I should have to pay when you have cost me downtime and wasted hours on these projects that I will have to host elsewhere.

simplitech-code
HOBBY

a month ago

I think I understand the fix the guy is saying and am going to implement it on mine and see I will update you and let you know how it goes


madcats1337
PRO

a month ago

same garbage is happening to my domain.


madcats1337

same garbage is happening to my domain.

simplitech-code
HOBBY

a month ago

I can help you fix it


simplitech-code

I can help you fix it

madcats1337
PRO

a month ago

no you cant, its a railway related issue.


madcats1337

no you cant, its a railway related issue.

simplitech-code
HOBBY

a month ago

I had the same issue and i got it fixed via using cloudflaire to connect the domain to railway


simplitech-code

I had the same issue and i got it fixed via using cloudflaire to connect the domain to railway

madcats1337
PRO

a month ago

not using cloudflare


madcats1337

not using cloudflare

simplitech-code
HOBBY

a month ago

I was not using it too but I have to manage the situation via that


simplitech-code

I was not using it too but I have to manage the situation via that

madcats1337
PRO

a month ago

post the fix here then


simplitech-code
HOBBY

a month ago

create cloudflaire account and route your domain through it to railway and you will be Good


simplitech-code

create cloudflaire account and route your domain through it to railway and you will be Good

madcats1337
PRO

a month ago

not working.


simplitech-code
HOBBY

a month ago

It’s working


simplitech-code

create cloudflaire account and route your domain through it to railway and you will be Good

bitcoindevelopment
PROOP

a month ago

I shouldn't have to be forced to use a third party like cloudflare. I've given railway lots of money it's unacceptable. I've cancelled my account and looking for alternatives the customer support is a joke.


dizzydes90
EMPLOYEE

a month ago

Hello,

We had discovered an issue which would've affected services that have both a wildcard and exact-matching SAN for the same second-level domain, on the same service. We have been migrating traffic to our new edge network over the past week, which had tree lookup logic that erroneously preferred the wildcard certificate over the exact match, specifically if the exact-matching SAN was generated/renewed after the wildcard certificate.

We have since rolled out a fleet-wide patch to this issue, and added regression testing to make sure this doesn't happen again. We apologize for the inconvenience - please let me know if you have any further questions.


Status changed to Solved dizzydes90 about 1 month ago


Welcome!

Sign in to your Railway account to join the conversation.

Loading...