Custom domain stuck in "Validating ownership" for days — correct CNAME, no TLS cert
petrefiedthunder
PROOP

20 days ago

Custom domain origin.pauseapi.app on service "sentinel-api" has been stuck in certificateStatus VALIDATING_OWNERSHIP for ~4 days and never issues a TLS cert.

IDs:

  • Project: sentinel-api (5da2a44f-3b00-45b8-b6b4-23f27ea42515)
    • Environment: production (ffe5dcc9-2ff3-40fe-9dd8-bf4075fbc3ab)
    • Service: sentinel-api (e04c0960-5bd6-4c68-b9bc-945e32f13465)
    • Custom domain: origin.pauseapi.app (9a4949ac-6c06-4d3f-b802-b4254fc14e97)

DNS is correct and confirmed:

  • CNAME origin.pauseapi.app -> 1ef4xd5w.up.railway.app resolves on public resolvers (1.1.1.1, 8.8.8.8) and the Namecheap authoritative NS.
    • Your API reports currentValue == requiredValue == 1ef4xd5w.up.railway.app, status PROPAGATED, certificateErrorMessage: null.
    • The edge (69.46.46.49) still serves the default *.up.railway.app cert; curl gives SSL error 60 (SAN mismatch) for origin.pauseapi.app.

Already tried (no effect):

  1. Deleted + re-added the custom domain (new target 1ef4xd5w; updated DNS to match).
  2. Added the _railway-verify.origin TXT record on DNS — cert still didn't issue.

Note: .app is HSTS-preloaded, so issuance must use TLS-ALPN-01 / DNS DCV rather than HTTP-01. Can you manually re-issue / unblock the cert for this domain?

$20 Bounty

1 Replies

Railway
BOT

20 days ago

This thread has been opened as a public bounty so the community can help solve it. The thread and any further activity are now visible to everyone.

Status changed to Open Railway 20 days ago


Your DNS records seem to be set up correctly. If the certificate isn't issued within a day, just delete your domain and all its related DNS records, wait for 10~15 minutes, and add it again.


Welcome!

Sign in to your Railway account to join the conversation.

Loading...