a month ago
Hi Railway support,
I've been unable to get a TLS certificate issued for new custom domains on our project, even though the configuration matches another domain in the same service that
works perfectly.
Project: mira-portal (ID: 6136635a-9b88-4c2a-9afa-1d2ac50a15cf)
Service: mira-app (ID: 0f57a74b-d94e-430c-960f-12c40fcc8782)
Environment: production (ID: a9d5cec7-16cd-4039-8934-ce6a55674882)
Workingbaseline(forcomparison):
- Custom domain: multiplica.utopica.net
- Certificate: issued 2026-04-11, valid through 2026-07-10
- syncStatus: ACTIVE, cdnMode: off, targetPort: 3000, DNS PROPAGATED matching requiredValue
Brokendomain:
- Custom domain: tablero.utopica.net (ID: 26cfb54c-03aa-470e-9bb3-b8bb47c653c4)
- syncStatus: ACTIVE, cdnMode: off, targetPort: 3000, DNS PROPAGATED matching requiredValue (ehntcnfr.up.railway.app)
- certificates: [] — empty after 90+ minutes
- HTTPS returns the generic *.up.railway.app wildcard cert with SAN mismatch, then Not Found / "train has not arrived at the station" (request IDs:
fjjcBUNoS6Gp_DyMO8poTA, SH7E3j_pTpy6qex5ozsQ6Q)
- crt.sh shows no certificate was ever issued for tablero.utopica.net
WhatItried:
- Verified DNS resolves correctly from Cloudflare authoritative NS and public resolvers (1.1.1.1, 8.8.8.8). Proxy is OFF in Cloudflare.
- Verified CAA: utopica.net has no CAA (open), railway.app CAA permits letsencrypt.org.
- Deleted and recreated the customDomain entry 5+ times, updating the Cloudflare CNAME each time to match the new required target. Same result every time.
- Set targetPort: 3000 explicitly via customDomainUpdate.
- Tried an earlier FQDN (mira.utopica.net) and admin.utopica.net — same symptom.
- I also previously had a wildcard *.utopica.net custom domain that I deleted because it was never validated — unsure if that left something in a bad state.
WhatIsuspect: something in this project's cert-issuance pipeline is stuck. The config is valid and identical to the working domain, but Let's Encrypt never issues for
these FQDNs.
WhatIneed: please manually trigger cert issuance for tablero.utopica.net (id 26cfb54c-03aa-470e-9bb3-b8bb47c653c4), or let me know if there's something I should reset
on my side.
Thank you!
1 Replies
Status changed to Awaiting Railway Response Railway • about 1 month ago
Status changed to Open Railway • about 1 month ago
a month ago
Remove the custom domain records from your nameserver for 10 minutes and try again, just be careful to not hit the Let’s Encrypt limit of 5 certificates per domain per week.