auth.babel42.iostuck in CERTIFICATE_STATUS_TYPE_VALIDATING_OWNERSHIP ~14h despite clean, propagated DNS
a month ago
Title: Custom domain stuck in VALIDATING_OWNERSHIP for ~14h despite clean, propagated DNS
Hi all — hoping for a sanity check or a pointer here. A custom domain has been stuck issuing its TLS cert for ~14 hours and I've worked through all the usual self-serve fixes. (Railway team: I think this needs a manual cert-issuance retry / rate-limit reset on your side — details below.)
Setup
- Self-hosted app on Railway, single CNAME custom domain, port 8080.
- DNS at Namecheap (no Cloudflare proxy), direct CNAME → Railway target.
Symptom
certificateStatushas beenCERTIFICATE_STATUS_TYPE_VALIDATING_OWNERSHIPsince ~22:00 UTC 2026-06-07.- DNS record shows
DNS_RECORD_STATUS_PROPAGATED, andcurrentValue == requiredValue. - The edge still serves the default
*.up.railway.appcert (Let's Encrypt E7) — the per-domain cert never issues.
What I've already verified (config looks correct)
- DNS: the domain's CNAME → the Railway target resolves correctly on both Google (8.8.8.8) and Cloudflare (1.1.1.1) DoH. Railway's own dashboard agrees:
currentValue == requiredValue, statusPROPAGATED. - Only a single CNAME is required here (
purpose: DNS_RECORD_PURPOSE_TRAFFIC_ROUTE) — no TXT /_acme-challengerecord is requested, so nothing is missing there. - No CAA record on the apex (nothing blocking letsencrypt.org).
- No AAAA on the domain or the edge target (no broken IPv6 path).
- Service is healthy: latest deployment
SUCCESS, not serverless/sleeping. The edge responds —/.well-known/acme-challenge/<token>returns a railway-edge 404 for a non-existent token, i.e. the ACME path is being handled. - Other custom domains in the same workspace issue fine.
My theory
When the domain was first added, DNS hadn't fully converged across all validators yet, so the early Let's Encrypt attempts likely failed and tripped LE's per-hostname failed-validation rate limit. DNS has been fully converged and stable since ~05:43 UTC 2026-06-08, but issuance hasn't succeeded since. I did exactly one delete+re-add early on (to clear a genuinely stale target), then stopped touching it to avoid burning more attempts, and triggered a single service redeploy as a nudge — no change.
Questions for the community
- Has anyone hit this exact "stuck in VALIDATING_OWNERSHIP with clean, propagated DNS" state, and what actually unstuck it — waiting, a redeploy, or a staff-side reset?
- Is there any non-destructive way to force a fresh cert-issuance attempt without delete/re-adding the domain (which rotates the target and spends more LE attempts)?
- If this is the LE failed-validation rate limit, roughly how long until it clears in practice?
Railway team: if you can see a rate-limit / cert-job state for this domain, a manual issuance retrigger or limit reset would be hugely appreciated — happy to share the project/service IDs privately. Config is correct and stable; it just needs a clean retry. Thanks!
Pinned Solution
a month ago
You need to add a TXT record to _railway-verify.auth.babel42.io. You can find the content for it from the verificationToken property under status.
2 Replies
a month ago
This thread has been opened as a public bounty so the community can help solve it. The thread and any further activity are now visible to everyone.
Status changed to Open Railway • 29 days ago
a month ago
You need to add a TXT record to _railway-verify.auth.babel42.io. You can find the content for it from the verificationToken property under status.
Status changed to Solved 0x5b62656e5d • 29 days ago
