18 days ago
Custom domain portal.workcompworld.com has been stuck at "Waiting for DNS update" for over 6 hours despite CNAME being verified as VALID via the API.
Project ID: 73f0da78-129b-4e79-bc7a-cbac0be5b45d
Service ID: 2426984c-05c4-4734-bdb7-c8bfeaf6e76f
Domain ID: 8713da99-d00a-46d6-b73f-9bf46dc75b5e
Domain: portal.workcompworld.com
CNAME target: aywbgixd.up.railway.app
CNAME status (via API): VALID
Port: 8000
DNS resolves correctly - both portal.workcompworld.com and aywbgixd.up.railway.app resolve to 69.46.46.56. HTTP on port 80 works (returns 301 to HTTPS with x-railway-67 header). HTTPS on port 443 serves *.up.railway.app wildcard cert instead of a cert for portal.workcompworld.com.
The domain was deleted and re-added several times today while troubleshooting, which may have triggered a Let's Encrypt rate limit. Please manually trigger SSL certificate provisioning for this domain.
1 Replies
18 days ago
This thread has been opened as a bounty so the community can help solve it.
Status changed to Open Railway • 18 days ago
13 days ago
The wildcard cert + HTTP 301 with the Railway header both confirm traffic is reaching Railway's edge fine, so routing/CNAME isn't the problem — this is isolated to verification/cert issuance. Two things to check:
1. The ownership TXT, not just the CNAME. A VALID CNAME doesn't mean verification passed. "Waiting for DNS update" also covers the _railway-verify ownership record, which Railway checks separately. For portal.workcompworld.com that record lives at host _railway-verify.portal, value exactly as shown in the domain's "Configure DNS Records" modal. Confirm it resolves:
dig TXT _railway-verify.portal.workcompworld.comIf it's missing or on the wrong host, that's the stuck verification — issuance never starts regardless of anything else.
2. Stop deleting/re-adding the domain. Each re-add on an unverified domain produces a failed Let's Encrypt authorization. LE allows only 5 failed auths per hostname per hour (refills 1 every 12 min), plus a 5-per-week duplicate-cert cap — several cycles in a day trips both. If you're rate-limited, no cert issues until the window refills, and re-adding only burns more budget. Leave it in place.
Fix the TXT, then don't touch it. Railway's provisioner retries on its own; once verification passes and a rate-limit slot frees (full recovery ~1 hr), the cert auto-issues. If it's still serving the wildcard cert ~1–2 hrs after the TXT is confirmed correct and you've stopped re-adding, open a thread with Railway and mention the repeated re-adds explicitly — they're the only ones who can read the actual ACME error and confirm whether you're in a Let's Encrypt rate-limit cooldown on their account.