a month ago
I have a custom domain stuck in a state where DNS is fully propagated and Railway reports syncStatus: ACTIVE, but Let's Encrypt has never been asked to issue a certificate — the certificates array stays empty indefinitely.
Details:
Project: Ilara Data Brief (id 686d7b47-51d4-4475-8efa-fdfb72e6c366)
Service: ilara-data-brief (id c8b0ef53-7293-4082-b479-cf8300cfd31f)
Environment: production (id 03d54100-34b0-49c4-ad01-fdde1188d0fd)
Custom domain: data.ilara.health (customDomain id 60d71943-bf77-4021-ae51-b8ab8d50f30b)
What's working:
DNS resolves correctly from Google, Cloudflare, Quad9 (data.ilara.health CNAME → 015i5b32.up.railway.app)
Railway API reports DNS_RECORD_STATUS_PROPAGATED and syncStatus: ACTIVE
No CAA records blocking
Other *.ilara.health subdomains have working LE certs on different Railway projects (e.g. emr.ilara.health), so it's not rate-limiting
What's stuck:
customDomain.status.certificates returns []
crt.sh shows zero LE issuance attempts for data.ilara.health
HTTPS serves Railway's wildcard fallback (*.up.railway.app) instead of a cert for our domain
What I've tried:
Delete and recreate the customDomain twice (yesterday and today). Each time Railway issues a new edge target, GoDaddy CNAME updated to match, status goes to ACTIVE — cert still never provisions.
First domain attempted was brief.ilara.health (now deleted) — exact same failure pattern, so it's not subdomain-specific.
Could someone manually trigger cert issuance for data.ilara.health on this service?
Pinned Solution
a month ago
You need to add a TXT record to _railway-verify.data.ilara.health. You can find the content for the TXT record under the verificationToken property under status.
2 Replies
a month ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • about 1 month ago
a month ago
You need to add a TXT record to _railway-verify.data.ilara.health. You can find the content for the TXT record under the verificationToken property under status.
a month ago
0x is probably right here: the CNAME side looks fine, but the ownership TXT doesn’t seem visible publicly yet.
From here I can see:
data.ilara.health -> 015i5b32.up.railway.appbut this returns nothing for me:
_railway-verify.data.ilara.healthSo Railway may be marking the DNS target as active, but still not starting cert issuance because it can’t verify ownership.
In GoDaddy, since the zone is ilara.health, the TXT host/name is usually _railway-verify.data, not necessarily the full _railway-verify.data.ilara.health, depending on the UI. Value should be exactly the verificationToken Railway shows.
I’d check it from outside GoDaddy after saving:
dig +short TXT _railway-verify.data.ilara.health
dig +short CNAME data.ilara.healthOnce both are public, then remove/re-add only if Railway still refuses to issue the cert.
Status changed to Solved 0x5b62656e5d • 7 days ago