a month ago
I have this setup:
- Cloudflare DNS only, proxy disabled
api.staging.example.comis configured as an exact custom domain on my staging API service*.example.comis configured on a different Railway service for production
DNS resolves correctly to Railway:
dig +short CNAME api.staging.example.com @1.1.1.1
xxxxx.up.railway.app.
But TLS/SNI returns the wildcard cert instead of the exact domain cert:
openssl s_client -connect api.staging.example.com:443 -servername api.staging.example.com /dev/null | openssl x509 -noout -subject -issuer -ext subjectAltName
Output:
subject=CN=*.example.com
X509v3 Subject Alternative Name:
DNS:*.example.comSo the browser fails because *.example.com does not cover api.staging.example.com.
Can an exact domain like api.staging.example.com coexist with *.example.com on different Railway services, or is this unsupported due to wildcard overlap?
What’s the recommended setup?
8 Replies
a month ago
You need to add a TXT record to _railway-verify. where `` is the domain you're trying to add.
a month ago
Please don't ping team members.
Sorry. It has been 3-4 days since this started happening and nobody gave an answer or a solution. I cannot access my staging env since then
a month ago
Hello, we have acknowledged an issue with wildcard behavior when more-specific third-level domains are also provisioned on the service. I will update you when we have a fix in place.
a month ago
Hi @luis, we have rolled out a fleet-wide fix for this behavior, and it should now be working going forward. We have added regression tests for this specific behavior so that it won't happen again - sorry you ran into this. Thank you for the report.
Status changed to Solved medim • 28 days ago