Custom domain cert stuck in VALIDATING_OWNERSHIP 24+ hours despite DNS PROPAGATED (5 fresh registrations)
failstocode66
HOBBYOP

25 days ago

Hi Railway team,

The certificate for my custom domain www.comoxcoach.ca has been stuck in

CERTIFICATE_STATUS_TYPE_VALIDATING_OWNERSHIP for over 24 hours, across **5 separate

delete/recreate attempts**, while your own API simultaneously reports the DNS record as

DNS_RECORD_STATUS_PROPAGATED. I believe the cert order is wedged server-side.

Current registration (please investigate this one):

  • Custom domain ID: 45722fb4-a5ce-4925-98df-4eb57c3e730c
  • Domain: www.comoxcoach.ca
  • Project: ComoxCoach (service web, environment production — attached to this thread)
  • Created: 2026-06-12T05:36:18Z — still VALIDATING_OWNERSHIP ~13h later
  • CNAME target: hu6hbxl1.up.railway.app (TTL 600)

Evidence it is not a DNS / configuration problem on my side:

  1. Your API reports the DNS record PROPAGATED (currentValue == requiredValue == hu6hbxl1.up.railway.app).
  2. Public resolvers confirm: www.comoxcoach.ca CNAME hu6hbxl1.up.railway.app (verified via dns.google).
  3. The HTTP-01 challenge path is reachable — port 80 on www.comoxcoach.ca resolves to and reaches your edge.
  4. No CAA records on comoxcoach.ca (nothing restricting Let's Encrypt issuance).
  5. No DNSSEC on the zone.
  6. Your edge is currently serving the fallback *.up.railway.app wildcard cert for SNI www.comoxcoach.ca.

History of attempts (each delete/recreate minted a new CNAME target, registrar updated each time):

m9a575c54tzeleq3jf4ry9d1hbq8g7rmhu6hbxl1 (current).

Every registration showed the same pattern: DNS reaches PROPAGATED quickly, then

VALIDATING_OWNERSHIP forever with certificates: [].

Could you kick or re-issue the cert order for custom domain

45722fb4-a5ce-4925-98df-4eb57c3e730c? This is a live small-business site

(currently reachable only via a temporary registrar forward to the service URL),

so resolution is fairly urgent.

Thanks,

Tyler

Solved$10 Bounty

Pinned Solution

You need to add a TXT record at _railway-verify.www.comoxcoach.ca. Railway uses TXT records to validate domain ownership. You can find it in verificationToken under status

4 Replies

Railway
BOT

25 days ago

This thread has been opened as a bounty so the community can help solve it.

Status changed to Open Railway 25 days ago


You've already done more debugging than most custom-domain reports, and based on the evidence you've shared, DNS itself does not appear to be the issue:

  • Railway reports DNS_RECORD_STATUS_PROPAGATED
  • currentValue == requiredValue
  • Public DNS resolvers return www.comoxcoach.ca -> hu6hbxl1.up.railway.app
  • No CAA restrictions
  • No DNSSEC
  • Multiple delete/recreate attempts show the same behavior

At this point I'd try to verify the certificate challenge path from outside Railway before concluding the cert order is stuck.

Could you share the output of:

curl -I http://www.comoxcoach.ca/.well-known/acme-challenge/test

and

curl -Iv https://www.comoxcoach.ca

One thing that stands out is your note about a temporary registrar forward. Depending on how that forwarding is implemented, it could potentially interfere with ACME validation even if DNS appears correct. I'd temporarily disable any registrar-level forwarding and leave only the Railway CNAME in place while testing.

If the challenge path is reachable, forwarding is disabled, DNS remains propagated, and the domain continues to sit in CERTIFICATE_STATUS_TYPE_VALIDATING_OWNERSHIP for many hours across multiple registrations, then the remaining evidence starts to point toward a certificate issuance workflow issue that Railway staff would need to investigate.

For now, I'd gather the curl outputs above since they'll help rule out the last major external variable.


You need to add a TXT record at _railway-verify.www.comoxcoach.ca. Railway uses TXT records to validate domain ownership. You can find it in verificationToken under status


failstocode66
HOBBYOP

25 days ago

Resolved! Thank you both — posting the wrap-up for anyone who lands here from a search later.

@pancharasshubham — I ran the curls you asked for before the fix landed, and they're useful for the record. The challenge path was reaching Railway's edge directly:

$ curl -I http://www.comoxcoach.ca/.well-known/acme-challenge/test

HTTP/1.1 404 Not Found

Server: railway-edge

X-Railway-Edge: railway/us-west2

The registrar forward turned out not to be a factor — it was on the apex only, while www was a bare CNAME straight to Railway (which the railway-edge response confirms). But your instinct to rule out the last external variables before blaming the platform was the right diagnostic discipline, and I appreciate you engaging with the evidence in detail.

@darseen had it exactly right. VALIDATING_OWNERSHIP was Railway waiting on the ownership-verification TXT record:

_railway-verify.www.comoxcoach.ca TXT "railway-verify=<status.verificationToken>"

Added it → verified: true and the certificate went VALID within about two minutes. All pages now serve over HTTPS with a proper CN=www.comoxcoach.ca cert. Accepting darseen's solution.

The trap, for future searchers: status.dnsRecords in the API only lists the CNAME requirement — mine showed fully PROPAGATED, which made everything look like a stuck cert order. The TXT requirement lives in separate fields: status.verified, status.verificationDnsHost, and status.verificationToken. Also worth knowing: deleting and re-adding the custom domain rotates both the CNAME target and the verification token, so retry-by-reset makes this strictly worse. Check verified first.

Thanks again to both of you.


Thanks for sharing the resolution.

Credit to @darseen for spotting the ownership verification requirement. I focused on ruling out DNS propagation, routing, and forwarding issues based on the evidence provided, but the missing piece was the _railway-verify TXT record.

The important takeaway for future readers is that a domain can show DNS_RECORD_STATUS_PROPAGATED and still remain stuck in VALIDATING_OWNERSHIP if status.verified is false. Be sure to check the verification token and TXT record requirements before recreating the domain.

Glad you got HTTPS working.


Status changed to Solved 0x5b62656e5d 24 days ago


Welcome!

Sign in to your Railway account to join the conversation.

Loading...