a month ago
Customer-impact: Production site trafficsafe.co.nz is currently inaccessible via HTTPS. DNS was cut over ~25 minutes ago and Railway's edge is still serving *.up.railway.app wildcard cert instead of a cert for our custom domains. Every user whose DNS has flipped is seeing a browser SSL warning.
Project: trafficsafe.co.nz (8e0104c5-811c-428d-b92b-f7f9fdaeacec)
Environment: production (fa70ed75-5d5d-4437-9970-6ca9406a963e)
Service: frontend (b809e5c0-b6c0-4ccf-894a-6e7e1b7b40e1)
Domains stuck:
trafficsafe.co.nz(domain idf67261d1-c7e0-48fc-89c8-3225379483d0)www.trafficsafe.co.nz(domain id1e6d172b-2c43-428b-9e1c-1c5a86c6242c)
State in your API: Both CERTIFICATE_STATUS_TYPE_VALIDATING_OWNERSHIP for 25+ min. DNS records both DNS_RECORD_STATUS_PROPAGATED. _railway-verify TXT records match required values and are confirmed at ns1/ns2.1stdomains.net.nz, 1.1.1.1, 8.8.8.8, 9.9.9.9.
Please:
- Check the ACME challenge log / CA responses for both domains and share what's blocking issuance.
- Force re-validation if there's a stale failed state.
- Confirm whether apex
A 151.101.2.15(used because registrar doesn't support ALIAS/CNAME at root) is acceptable for cert issuance on this plan — your API reportsPROPAGATEDbut if provisioning is stricter than validation, that could be the block.
Urgency: Live production domain — we'd like to avoid rolling DNS back to origin if possible.
Pinned Solution
a month ago
I recommend migrating to Cloudflare's DNS service. Railway does not support A records for custom domains.
2 Replies
Status changed to Awaiting Railway Response Railway • about 1 month ago
a month ago
One detail your API surfaces when I query the individual DNS record: apex
trafficsafe.co.nzshowscurrentValue: ""withrequiredValue: 11bxk780.up.railway.app, because the registrar (1stdomains.net.nz, no ALIAS support) has an A record to151.101.2.15instead. Your overall DNS status still reportsPROPAGATED, but the specific record doesn't match.www.trafficsafe.co.nzCNAME is an exact match. Please confirm whether the apex A-record workaround is acceptable for cert issuance on Railway, or whether we need to move DNS to a provider that supports CNAME flattening (Cloudflare) before you can provision.
a month ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • about 1 month ago
a month ago
I recommend migrating to Cloudflare's DNS service. Railway does not support A records for custom domains.
Status changed to Solved 0x5b62656e5d • 16 days ago