Custom domain api.consulta.health on service sim-proxy (project befd7bc6-3bc2-4c7a-bae0-029b92d3ee23) stopped serving TLS — connections are reset during ClientHello. The Railway-generated domain (sim-proxy-production-616b.up.railway.app) works perfectly, including on the same edge IP, so this is SNI/cert-specific.

Dashboard shows the domain verified (green); both DNS records are in place at the registrar and resolve globally: CNAME api → qwlpd2ea.up.railway.app, TXT _railway-verify.api with the exact value shown in the dashboard.

openssl s_client -servername api.consulta.health → connection reset; same IP with the Railway-domain SNI completes TLS fine.

Already tried: removed and re-added the domain (got the new CNAME target qwlpd2ea, updated DNS, propagation confirmed within a minute). Cert still hadn't issued 1+ hour later. No CAA records on the domain.

The domain worked normally for ~1 day after initial setup (2026-06-11), then began resetting.

Can you check the cert issuance state for this domain on your edge?