a month ago
I have this setup:
- Cloudflare DNS only, proxy disabled
api.staging.example.comis configured as an exact custom domain on my staging API service*.example.comis configured on a different Railway service for production
DNS resolves correctly to Railway:
dig +short CNAME api.staging.example.com @1.1.1.1
xxxxx.up.railway.app.
But TLS/SNI returns the wildcard cert instead of the exact domain cert:
openssl s_client -connect api.staging.example.com:443 -servername api.staging.example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -ext subjectAltName
Output:
subject=CN=*.example.com
X509v3 Subject Alternative Name:
DNS:*.example.comSo the browser fails because *.example.com does not cover api.staging.example.com.
Can an exact domain like api.staging.example.com coexist with *.example.com on different Railway services, or is this unsupported due to wildcard overlap?
What’s the recommended setup?
1 Replies
a month ago
This thread has been opened as a bounty so the community can help solve it.
Status changed to Open Railway • about 1 month ago
a month ago
Root cause:
Railway's SNI routing prioritizes the wildcard cert (*.example.com) over the exact domain cert when both exist on different services.
Fix:
The two services are competing. Since *.example.com matches api.staging.example.com, Railway picks that cert first.
Option 1 — Move both domains to the same service logic
Remove *.example.com wildcard from the production service and instead add each subdomain explicitly (e.g. app.example.com, www.example.com). Then api.staging.example.com gets its own cert without conflict.
Option 2 — Use a different subdomain structure
Restructure so staging doesn't fall under the wildcard scope, e.g. use api.staging-env.example.com instead — completely outside *.example.com.
Option 3 — Contact Railway support
This may be a Railway-side SNI priority bug where exact domains should always win over wildcards. Worth reporting — exact match should take precedence over a wildcard in standard TLS/SNI behavior. Ask them to fix the cert selection order.
Short answer: Exact domain + wildcard on separate Railway services for the same root domain is currently broken/unsupported. Option 1 is the cleanest workaround.