a month ago
Service name: uniadshare
Issue: Custom domains (uniadshare.com, *.uniadshare.com) disappear from service config and SSL won't provision
DNS setup: Cloudflare with CNAME _acme-challenge.uniadshare.com → paqaclsp.authorize.railwaydns.net and TXT _railway-verify.uniadshare.com
Error: 525 SSL handshake failure
What you've tried: Multiple deployments, DNS provider change (GoDaddy → Cloudflare), DNS-only mode in Cloudflare
Can someone check Railway's backend logs to see why the domains aren't sticking and SSL isn't provisioning?
2 Replies
Status changed to Open Railway • 28 days ago
a month ago
I’d split this into two checks, because the 525 and the “domain disappears from service config” may be related, but they’re not exactly the same symptom.
For the SSL side: keep Cloudflare DNS-only for every record pointing at Railway, and make sure Cloudflare SSL mode is Full, not Flexible. Flexible can create some really confusing behavior once Railway starts trying to serve the cert.
For the verification side, I’d check the exact public records from outside Cloudflare:
dig +short CNAME _acme-challenge.uniadshare.com
dig +short TXT _railway-verify.uniadshare.com
dig +short CAA uniadshare.comIf you have CAA records, allow Let’s Encrypt, including wildcard issuance:
0 issue "letsencrypt.org"
0 issuewild "letsencrypt.org"One thing I’d avoid is repeatedly adding apex + wildcard while old validation targets are still cached. I’d get one hostname verified/certed first, then add the wildcard after that. If the TXT/CNAME resolve publicly and Railway still removes the domain from the service, then I wouldn’t keep changing DNS providers. That’s the point where staff need the service id plus the exact generated verification target Railway gave you.
a month ago
Removing the proxy worked!
Status changed to Solved brody • 28 days ago