20 days ago
Custom domain origin.pauseapi.app on service "sentinel-api" has been stuck in certificateStatus VALIDATING_OWNERSHIP for ~4 days and never issues a TLS cert.
IDs:
- Project: sentinel-api (5da2a44f-3b00-45b8-b6b4-23f27ea42515)
-
- Environment: production (ffe5dcc9-2ff3-40fe-9dd8-bf4075fbc3ab)
-
- Service: sentinel-api (e04c0960-5bd6-4c68-b9bc-945e32f13465)
-
- Custom domain: origin.pauseapi.app (9a4949ac-6c06-4d3f-b802-b4254fc14e97)
DNS is correct and confirmed:
- CNAME origin.pauseapi.app -> 1ef4xd5w.up.railway.app resolves on public resolvers (1.1.1.1, 8.8.8.8) and the Namecheap authoritative NS.
-
- Your API reports currentValue == requiredValue == 1ef4xd5w.up.railway.app, status PROPAGATED, certificateErrorMessage: null.
-
- The edge (69.46.46.49) still serves the default *.up.railway.app cert; curl gives SSL error 60 (SAN mismatch) for origin.pauseapi.app.
Already tried (no effect):
- Deleted + re-added the custom domain (new target 1ef4xd5w; updated DNS to match).
- Added the _railway-verify.origin TXT record on DNS — cert still didn't issue.
Note: .app is HSTS-preloaded, so issuance must use TLS-ALPN-01 / DNS DCV rather than HTTP-01. Can you manually re-issue / unblock the cert for this domain?
1 Replies
20 days ago
This thread has been opened as a public bounty so the community can help solve it. The thread and any further activity are now visible to everyone.
Status changed to Open Railway • 20 days ago
19 days ago
Your DNS records seem to be set up correctly. If the certificate isn't issued within a day, just delete your domain and all its related DNS records, wait for 10~15 minutes, and add it again.