23 days ago
Hi Railway team,
I have a custom domain that's stuck in a state where DNS is fully propagated and matches the required CNAME target, but no Let's Encrypt certificate is being issued. I've exhausted all the standard remediation steps documented in your community threads and would like an operator-side nudge or diagnosis.
Project: CMS FrontEnd
Project ID: 19661c0b-5c42-4dbd-9776-c36683c25e36
Environment: production (096cd382-474a-4a6d-8a4c-2aa7fc193290)
Service: openi-hub-cms (13171430-94cf-4887-9afc-34321ded88bc)
Custom domain ID: 9ed5bc03-8613-4d26-8c4c-c3d4c63ad2a9
Domain: admin.openi.tech
Current GraphQL state:
{
"domain": "admin.openi.tech",
"status": {
"dnsRecords": [{
"hostlabel": "admin",
"currentValue": "zve5xw5u.up.railway.app",
"requiredValue": "zve5xw5u.up.railway.app",
"status": "DNS_RECORD_STATUS_PROPAGATED"
}],
"cdnProvider": null,
"certificates": []
}
}
Verified externally:
$ dig +short admin.openi.tech CNAME
$ dig @ns53.domaincontrol.com +short admin.openi.tech CNAME
$ curl -I https://admin.openi.tech
curl: (35) error:0A000172:SSL routines::ssl/tls alert handshake failure
What I've already tried (with timestamps in UTC):
1. Initial custom-domain creation — DNS propagated within ~10 min, but certificates: [] persisted for 4+ hours
2. customDomainDelete + customDomainCreate via GraphQL (delete+re-add #1) — Railway re-assigned the CNAME target; updated GoDaddy DNS; certificate still didn't issue
3. customDomainUpdate to change targetPort (nudge attempt) — no effect
4. customDomainDelete + customDomainCreate (delete+re-add #2) — current state with target zve5xw5u.up.railway.app
5. Patient wait of 2+ hours with automated polling at 90s intervals (80 polls total) — DNS matched the entire time, certificates: [] throughout
6. Overnight wait (~6 hours additional) — no change
7. No CDN/proxy in front of the domain (cdnProvider: null), no CAA records blocking Let's Encrypt issuance
The two other custom domains in our org (api.openi.tech and app.openi.tech, in different projects) issued certificates within minutes of DNS propagation, so this appears specific to this domain or this service.
Could you please:
- Manually trigger Let's Encrypt issuance for this custom domain, or
- Investigate why automated issuance isn't kicking off despite DNS being correct
This is blocking our 5 May 2026 production cutover from the legacy admin.openi.ai domain. Happy to provide any additional logs or diagnostics on request.
Thanks,
Rajeev
Pinned Solution
23 days ago
You need to add a TXT record under _railway-verify.admin.openi.tech. If you’re using the API, the TXT content can be found from the verificationToken property under status.
3 Replies
23 days ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • 23 days ago
23 days ago
You need to add a TXT record under _railway-verify.admin.openi.tech. If you’re using the API, the TXT content can be found from the verificationToken property under status.
Status changed to Awaiting User Response Railway • 23 days ago
22 days ago
.
Status changed to Awaiting Railway Response Railway • 22 days ago
22 days ago
I checked your project and the Let's Encrypt certificate for admin.openi.tech is now successfully issued and fully active. You should be able to access your Strapi application over HTTPS without any SSL handshake errors.
What likely happened is that the domain was deleted and re added multiple times in a short window, which can trigger Let's Encrypt rate limits and cause a temporary validation timeout. Since your DNS records, including the CNAME and the _railway verify TXT record, were already configured correctly, Railway was able to automatically provision the certificate once the rate limit window cleared.
Everything looks good now for your May 5th production cutover. Let me know if anything else comes up.
Best,
Jagjeet Singh
Attachments
Status changed to Solved 0x5b62656e5d • 22 days ago