13 days ago
Hi team — a custom domain will not finish TLS issuance. The cert has been stuck in VALIDATING_OWNERSHIP for days, even after a clean delete + re-add and with DNS fully validated on your side.
Account / location
- Workspace: Charis Sfyrakis's Projects (personal, Hobby plan)
-
- Project: ed7a2f9a-0cea-4ed6-bf4a-7f4fe6211a32
-
- Environment (production): 4cda972d-ca9b-4b40-9e1e-12111dd98f51
-
- Service (web): 5f95331a-eb9c-48b6-b468-61d0baf8805e
-
- Working Railway subdomain (valid cert): tagentic.up.railway.app
Affected custom domain (after delete + re-add today)
- www.tagentic.co — custom domain id 14b4cf0c-cefa-4f19-a180-d86fa5b8de3c
-
- Required CNAME target you issued on re-add: fvclff4u.up.railway.app
-
- I updated the DNS CNAME accordingly. Your GraphQL customDomain query now reports: dnsRecords[0].status = DNS_RECORD_STATUS_PROPAGATED, currentValue == requiredValue == fvclff4u.up.railway.app, yet certificateStatus = CERTIFICATE_STATUS_TYPE_VALIDATING_OWNERSHIP (still, ~1h after propagation).
-
- No CAA records on tagentic.co. DNS confirmed correct from 1.1.1.1 and from both authoritative NS (launch1/launch2.spaceship.net).
Billing-state contradiction (possibly related)
- Billing page shows an ACTIVE paid Hobby plan with a valid card and a "Cancel Plan" control; Usage shows only $0.74 used this cycle, nothing overdue.
-
- Yet the project canvas persistently shows the banner "Your trial has expired. Please select a plan to continue using Railway."
-
- These contradict. If this flagged state is what blocks custom-domain cert issuance, please clear it.
History
- The apex tagentic.co was previously attached and sat in VALIDATING_OWNERSHIP >24h; I removed it. I suspect a Let's Encrypt failed-authorization backoff on tagentic.co, or a stuck issuance pipeline.
Ask
- Please re-trigger / unstick certificate issuance for www.tagentic.co — DNS is validated on your side.
- Is there a LE rate-limit / failed-auth backoff on tagentic.co, and when does it clear?
- Is the workspace in a restricted/"trial expired" state despite the active paid Hobby plan? If so please resolve it.
- Once www issues, I'd also like to re-add the apex tagentic.co.
Thanks!
Pinned Solution
13 days ago
You need to add a TXT record at _railway-verify.www.tagentic.co.
If you are using the API to add your custom domain, you can find it in verificationToken under status
3 Replies
13 days ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • 13 days ago
13 days ago
You need to add a TXT record at _railway-verify.www.tagentic.co.
If you are using the API to add your custom domain, you can find it in verificationToken under status
13 days ago
Hey! Your DNS configuration is completely correct, but you are currently stuck in a Let's Encrypt rate-limit lockout.
When you first added the domain, the platform's internal resolver checked it before it propagated, triggering a failed authorization. Because Let's Encrypt limits failures to 5 per hostname per hour, deleting and re-adding the domain repeatedly has unfortunately locked you into a cooldown loop.
How to fix it:
- Stop deleting and re-adding the domain. This resets and extends your lockout timer.
- Leave it completely alone for 2 hours to allow the Let's Encrypt backoff window to expire. (If youve done the delete less than 2hrs ago if not you can do this now)
- Do one final clean re-add after the 2-hour wait. Since your CNAME is already propagated, it should validate instantly.
13 days ago
needs the verification TXT. record name: _railway-verify.www.tagentic.co, value: the verificationToken from the domain's status (or copy it from the Custom Domains panel). once it propagates railway picks it up on the next check.
Status changed to Solved charis-algomo • 13 days ago