2 months ago
I've attached my current DNS setup on cloudflare and the custom domain on railway.
The wildcard subdomain is not resolving
i.e https://hm.vendohq.dev/ gives ERRSSLPROTOCOL_ERROR.
railway shows 'issuing TLS certificate' for more than 7 hours already
I've checked https://docs.railway.com/guides/public-networking#wildcard-domains
and ensured that my cloudflare account edge certificate for that domain is using universal SSL and current encryption mode: Full
I appreciate any assistance on this, thanks! 🙂
0 Replies
update: have deleted and recreated the *.vendohq.dev custom domain (and updated the CNAME records) again. lets hope this gets fixed when i check tomorow
@Brody i've deleted and recreated the *.vendohq.dev custom domain for the third time, do you have an ETA on how long railway takes to generate the TLS certs?
i saw it go from "incorrect DNS records" (which i corrected on cloudflare) to "validating ownership" to "issuing TLS certs" which is where i got stuck
2 months ago
If you're confident the domain was setup correctly, then it's probably some stale Cloudflare cached TXT record, if so you'd need to contact Cloudflare.
I'll check tomorrow!
2 months ago
Yep, incorrect txt record, this is something stale on cloudflare's end that we have no control over, you would need to contact cloudflare's support.
couldn't get certificate: solving challenge: *.vendohq.dev: Incorrect TXT record \"R4J9zNVCc1vWylDr_4GcA6Nw2iA1a5KOE7LEbfRsncU\" (and 1 more) found at _acme-challenge.vendohq.dev@Brody
it looks like this is a common issue that occurs with other railway customers
https://station.railway.com/questions/wildcard-subdomain-setup-with-cloudflare-0fa5b30c
https://community.cloudflare.com/t/stale-txt-records/802332
From the thread, this is what cloudflare recommends
Ask Railway to supply the content they require, for the TXT record, and add and/or update it regularly, when they need to issue a new certificate.
Ask Railway to change their certificate validation to HTTP, instead of DNS.
If you can upload your own certificate to Railway, you can use a Cloudflare origin CA · Cloudflare SSL/TLS docs.
These won’t work together with Unproxied / DNS-only recordsdoes railway team have any suggestion on this? perhaps put this FAQ up somewhere since im not the only person with this issue
2 months ago
I'm sorry, but we cannot accommodate any of those recommendations. The TXT record is dynamic on our end, and changing the way we do validation is not on the table right now.
Cloudflare will need to clear the stale TXT record.
I managed to get it to work, thanks to that thread and chatgpt. Gist of the issue is that railway automatic lets encrypt cert generation will not work with the 'cached TXT record', which is just cloudflare's Universal SSL which autogenerated it. (https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/acme-challenge-txt-record/)
Steps
verify by doing
dig TXT _acme-challenge.you should have an 'ANSWER SECTION with 2 txt records'delete custom domain on railway, and the associated CNAME records on cloudflare (* and _acme-challenge)
disable universal SSL on cloudflare (dashboard -> SSL/TLS -> Edge Certificates -> scroll to bottom there's a disable button)
verify the TXT records are gone
dig TXT _acme-challenge., ANSWER SECTION is gonere create the custom domain on railway *.yourdomain.com AND the cname records on cloudflare with disabled universal SSL
railway should generate the cert successfully