Exact custom domain returns wildcard cert from another service
luismingati
PROOP

a month ago

I have this setup:

  • Cloudflare DNS only, proxy disabled
  • api.staging.example.com is configured as an exact custom domain on my staging API service
  • *.example.com is configured on a different Railway service for production

DNS resolves correctly to Railway:

dig +short CNAME api.staging.example.com @1.1.1.1

xxxxx.up.railway.app.

But TLS/SNI returns the wildcard cert instead of the exact domain cert:

openssl s_client -connect api.staging.example.com:443 -servername api.staging.example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -ext subjectAltName

Output:

subject=CN=*.example.com

X509v3 Subject Alternative Name:

DNS:*.example.com

So the browser fails because *.example.com does not cover api.staging.example.com.

Can an exact domain like api.staging.example.com coexist with *.example.com on different Railway services, or is this unsupported due to wildcard overlap?

What’s the recommended setup?

$20 Bounty

1 Replies

Railway
BOT

a month ago

This thread has been opened as a bounty so the community can help solve it.

Status changed to Open Railway about 1 month ago


samuel-hedstrom-stack
PRO

a month ago

Root cause:

Railway's SNI routing prioritizes the wildcard cert (*.example.com) over the exact domain cert when both exist on different services.

Fix:

The two services are competing. Since *.example.com matches api.staging.example.com, Railway picks that cert first.

Option 1 — Move both domains to the same service logic

Remove *.example.com wildcard from the production service and instead add each subdomain explicitly (e.g. app.example.com, www.example.com). Then api.staging.example.com gets its own cert without conflict.

Option 2 — Use a different subdomain structure

Restructure so staging doesn't fall under the wildcard scope, e.g. use api.staging-env.example.com instead — completely outside *.example.com.

Option 3 — Contact Railway support

This may be a Railway-side SNI priority bug where exact domains should always win over wildcards. Worth reporting — exact match should take precedence over a wildcard in standard TLS/SNI behavior. Ask them to fix the cert selection order.

Short answer: Exact domain + wildcard on separate Railway services for the same root domain is currently broken/unsupported. Option 1 is the cleanest workaround.


Welcome!

Sign in to your Railway account to join the conversation.

Loading...