Hey there! We've found the following might help you get unblocked faster:

• 🧵 Validating domain ownership

• 🧵 Urgent SSL certificate hangs in validating

• 🧵 Wildcard SSL Certificate Issue - 525 SSL Handshake Failed for Subdomains

If you find the answer from one of these, please let us know by solving the thread!

Hi,
unfortunately these links didn't help in resolving the issue.
Is there anything else I could do / check?

Thanks and best regards

Daniel

What service are you using to configure your DNS? What is the domain in question?

This is the list of gotcha's for custom domains. https://docs.railway.com/guides/public-networking#custom-domains:~:text=dynamic%20ALIAS%20records.-,Additional%20context,-Generally%2C%20direct%20CNAME

In my case, I had to remove the old A record that was using the same '@' host pointing to the old server. Also made sure that host was not shared by any other records and then set the TTL to automatic. I used a dnschecker to see that the record was being resolved.

Thanks both of you for your responses and input.

We are using Ionos for the domain and DNS settings.
The domain is www.7-health.com.

The domain itself looks fine, as it shows the application and when I try nslookup or ping, that works fine, too.

Only issue is, that the SSL certificate is not accepted by the browser and it shows as not safe.

The domain may be fine, but likely you either have conflicting records, improper record, or you should just change your DNS to route through cloudflare.

Check that in your DNS you are using the 'www' host not the '@'.

Then lastly, you'd want to remove the custom domain from the Railway config, remove the CName record from Ionos, wait ~20 minutes, add the custom domain back to Railway, add the CName record back to Ionos, and wait another ~20 minutes and use a DNS checker to make sure that the new value is being resolved.

This is the most common remediation step for almost all SSL issues. The second one is to forward your DNS traffic to Cloudflare: https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/. Either of these seem to resolve literally p99 of all SSL issues.

Thanks @dalinkstone!
Using Cloudflare was the solution in my case.

As reference for others with the same issue:
- I created an account in Cloudflare and entered my domain
- In my initial DNS provider I configured the provided nameservers of Cloudflare
- Cloudflare identified the existing DNS records and copied them over
- I created a redirect rule, so that traffic on the www.* domain got redirect to the main domain (without www.)
- I activated the proxy status for both CNAME entries in Cloudflare