Custom domain SSL stuck - portal.workcompworld.com not receiving certificate
jdantice
HOBBYOP

18 days ago

Custom domain portal.workcompworld.com has been stuck at "Waiting for DNS update" for over 6 hours despite CNAME being verified as VALID via the API.

Project ID: 73f0da78-129b-4e79-bc7a-cbac0be5b45d

Service ID: 2426984c-05c4-4734-bdb7-c8bfeaf6e76f

Domain ID: 8713da99-d00a-46d6-b73f-9bf46dc75b5e

Domain: portal.workcompworld.com

CNAME target: aywbgixd.up.railway.app

CNAME status (via API): VALID

Port: 8000

DNS resolves correctly - both portal.workcompworld.com and aywbgixd.up.railway.app resolve to 69.46.46.56. HTTP on port 80 works (returns 301 to HTTPS with x-railway-67 header). HTTPS on port 443 serves *.up.railway.app wildcard cert instead of a cert for portal.workcompworld.com.

The domain was deleted and re-added several times today while troubleshooting, which may have triggered a Let's Encrypt rate limit. Please manually trigger SSL certificate provisioning for this domain.

$10 Bounty

1 Replies

Railway
BOT

18 days ago

This thread has been opened as a bounty so the community can help solve it.

Status changed to Open Railway 18 days ago


Anonymous
PRO

13 days ago

The wildcard cert + HTTP 301 with the Railway header both confirm traffic is reaching Railway's edge fine, so routing/CNAME isn't the problem — this is isolated to verification/cert issuance. Two things to check:

1. The ownership TXT, not just the CNAME. A VALID CNAME doesn't mean verification passed. "Waiting for DNS update" also covers the _railway-verify ownership record, which Railway checks separately. For portal.workcompworld.com that record lives at host _railway-verify.portal, value exactly as shown in the domain's "Configure DNS Records" modal. Confirm it resolves:

dig TXT _railway-verify.portal.workcompworld.com

If it's missing or on the wrong host, that's the stuck verification — issuance never starts regardless of anything else.

2. Stop deleting/re-adding the domain. Each re-add on an unverified domain produces a failed Let's Encrypt authorization. LE allows only 5 failed auths per hostname per hour (refills 1 every 12 min), plus a 5-per-week duplicate-cert cap — several cycles in a day trips both. If you're rate-limited, no cert issues until the window refills, and re-adding only burns more budget. Leave it in place.

Fix the TXT, then don't touch it. Railway's provisioner retries on its own; once verification passes and a rate-limit slot frees (full recovery ~1 hr), the cert auto-issues. If it's still serving the wildcard cert ~1–2 hrs after the TXT is confirmed correct and you've stopped re-adding, open a thread with Railway and mention the repeated re-adds explicitly — they're the only ones who can read the actual ACME error and confirm whether you're in a Let's Encrypt rate-limit cooldown on their account.


Welcome!

Sign in to your Railway account to join the conversation.

Loading...