11 days ago
Custom domain has been stuck ~24 hours. DNS verified, both records show green
checkmarks, but TLS handshake serves *.up.railway.app fallback instead of a
per-domain Let's Encrypt cert. Browser blocks with NET::ERR_CERT_COMMON_NAME_INVALID.
Region: europe-west4 (drams3a)
- Custom domain: www.jucey.app
- Current target: 51l6pj7a.up.railway.app (66.33.22.157) (just re-changed CNAME to this after deleting/re-adding www.jucey.app to this value should be correct: 51l6pj7a.up.railway.app)
CONTEXT
Yesterday my DNS provider (Openprovider) had a multi-hour zone-replication bug —
its three NSes returned inconsistent answers for the same SOA serial. Cert
provisioning likely failed many times during that window, probably tripping
LE's failed-validation rate limit.
This morning all three NSes converged on identical correct values:
$ for ns in ns1.openprovider.nlns2.openprovider.bens3.openprovider.eu; do
dig @$ns +short www.jucey.app CNAME
dig @$ns +short TXT _railway-verify.www.jucey.app
done
→ all return: utufftd4.up.railway.app. + railway-verify=c2ea12384c56e3bb218f0e79ec...
But cert is still wildcard:
$ openssl s_client ... -connect www.jucey.app:443
subject= /CN=*.up.railway.app
issuer= /C=US/O=Let's Encrypt/CN=R12
I've since delete+re-added the domain. Railway issued a new target
(51l6pj7a.up.railway.app); DNS is being updated to match.
REQUESTS
1. Check the cert-provisioning queue/state for this domain — manually retrigger
if a worker is stuck.
2. Tell me whether we've hit LE's failed-validation (5/hr) or duplicate-cert
(5/wk) rate limit, and the reset window. crt.sh shows zero certs ever issued
for the domain, so duplicate-cert seems unlikely.
3. If you have acme/cert logs for this domain, please share the relevant errors.
Thanks,
Pinned Solution
11 days ago
If the certificate isn't issued within a few hours, I'd try removing the domain from Railway and adding it back after ~10-15 mins. Update DNS records as necessary.
Also, Railway's dashboard would inform you if you have reached LE's rate limit.
5 Replies
11 days ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • 11 days ago
11 days ago
If the certificate isn't issued within a few hours, I'd try removing the domain from Railway and adding it back after ~10-15 mins. Update DNS records as necessary.
Also, Railway's dashboard would inform you if you have reached LE's rate limit.
11 days ago
oh thats a FAST reply thank you!
Ok, we did JUST delete the old railway custom domain (www.jucey.app) and replaced it with the same, updating the CNAME now
If it doesn't propogate successfully and issue the SSL cert properly shortly after, can I message here again to continue trying to solve the problem?
11 days ago
Updated CNAME to new value 30min ago,
got this on a test ran:
=== Retry with verbose ===
* Connected to www.jucey.app (66.33.22.157) port 443
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF
* Server certificate:
subject: CN=.up.railway.app
* subjectAltName does not match host name www.jucey.app
* SSL: no alternative certificate subject name matches target host name 'www.jucey.app'
curl: (60) SSL: no alternative certificate subject name matches target host name 'www.jucey.app'
anyway you can help out on your end Railway?
or is patience (expected for how long?) the way?
10 days ago
Sorry for the late reply, was busy.
But good to know it worked.
DNS propagation and certificate issuance usually finishes within the hour, but in some rare cases, may even take up to a day.
Status changed to Solved 0x5b62656e5d • 10 days ago