5 days ago
I purchased a custom domain from Railway, but I still don't have SSL for my website. It's still being generated insecurely, and I keep getting the following error:
Failed to issue TLS certificate
Try Again
An internal error occurred. Please retry or contact support.
2 Replies
5 days ago
This thread has been opened as a bounty so the community can help solve it.
Status changed to Open Railway • 5 days ago
5 days ago
Since you bought the domain directly through Railway, the DNS side is handled automatically. This means the "Internal Error" is almost always a glitch in their automated certificate pipeline (the ACME challenge with Let's Encrypt) or an issue with your app's routing.
Here is exactly how you can fix it. Try these steps in order:
1. The "Hard Reset" (Fixes 90% of these glitches)
Sometimes Railway's edge proxy or validation tokens get desynced. Forcing a clean reset usually clears the pipeline.
- Go to your service settings in Railway and delete the custom domain completely.
- Walk away for about 5 to 10 minutes to let their global cache clear.
- Re-add the domain. This forces Railway to generate a brand new validation token and trigger a fresh request to Let's Encrypt.
2. Check your App Health and Port Binding
Railway routes public HTTPS traffic through an internal proxy to your container. If your app is crashing or not responding correctly, the TLS challenge can fail internally.
- Make sure your app is actually up and running without errors in the logs.
- Ensure your code is listening on the port assigned by Railway's environment variable (
process.env.PORTor$PORT). - Test if the default
*.up.railway.appdomain works. If that doesn't load, the TLS issue on your custom domain is just a symptom of your app being down.
3. Look out for hidden CAA Records
Even though Railway manages the domain, upstream registrar defaults can sometimes inject restrictive CAA (Certificate Authority Authorization) records.
- If there is an old or default CAA record that doesn't explicitly name
letsencrypt.org, Let's Encrypt will block the certificate generation, causing Railway to throw an internal error. - If you have access to the advanced DNS dashboard on Railway, check if there are any CAA records. If there are, delete them, or explicitly add one allowing Let's Encrypt.
One crucial warning: Stop spamming the "Try Again" button. Let's Encrypt has incredibly strict rate limits for failed validations. If you click it too many times, you will trigger a rate limit block, and you'll be stuck with an unissued certificate for up to 7 days, no matter what you do.
If you try the remove/re-add trick and it fails instantly on the very first try, it’s a platform-level sync error between Railway and their network provider (like Fastly). At that point, you just need to open a quick support ticket or ask in their Discord so an engineer can manually kick the pipeline from the backend.