What DNS provider are you using?

what dns provider are you using? cloudflare?

The Railway-generated domain being secure means your app/port is probably fine; this is almost certainly the custom-domain DNS/cert path.

What I'd check:

1. In Railway, open the custom domain and copy the required DNS values again. For current Railway custom domains, both the routing record and the ownership verification record matter. The CLI docs call out the CNAME plus TXT verification record, and requests can fail/not verify until the TXT is present: https://docs.railway.com/cli/domain#custom-domain-setup

2. If your DNS provider is Cloudflare and the record is orange-cloud proxied, set Cloudflare SSL/TLS mode to Full, not Full (Strict). Railway's domain docs explicitly mention this for proxied Cloudflare records: https://docs.railway.com/networking/domains/working-with-domains#cloudflare-configuration

3. If the hostname is deeper than a first-level subdomain, e.g. app.api.example.com, turn Cloudflare proxying off / use DNS-only unless you have Cloudflare Advanced Certificate Manager. Railway documents that proxied deeper subdomains will not work as intended without ACM.

4. If you are not proxying through Cloudflare, make sure there are no conflicting A/AAAA/CNAME records for the same host, then wait for DNS propagation. Railway says certificate issuance should usually happen within about an hour after the DNS values are correct, though DNS propagation can take longer.

After fixing the records, I would remove and re-add the custom domain in Railway if it still looks stuck, because that forces you to compare against the latest CNAME/TXT values Railway expects.