15 days ago
Hi Railway team,
LE cert issuance has been stuck in CERTIFICATE_STATUS_TYPE_VALIDATING_OWNERSHIP for 4+ hours on three custom domains. DNS is verified by your prober for two of them, services are SUCCESS, but the certs never issue
Project: clawcert (dbcd2ba0-6aff-4335-88f0-14f80ecaba39)
Environment: production (17a0446c-927d-40be-bd5c-f148d1047e9d)
Account: solomon@taptax.co.uk
Stuck domains (current attachments):
1. www.claudecerts.com -> service web (a324fe2e-ba93-46eb-aa45-38349ce99d9b) Domain ID: a1ead552-4692-4ba6-a102-bf582eebe910
Edge: tqrwmt0f.up.railway.app DNS prober: currentValue matches requiredValue (DNS_RECORD_STATUS_PROPAGATED)
2. api.claudecerts.com -> service api (4e74d19b-6169-4915-b230-4d397d476d82)
Domain ID: 55a581d2-b15a-49f0-8c0f-3448e07a560b
Edge: rh6mk3v6.up.railway.app DNS prober: currentValue matches requiredValue
3. claudecerts.com (apex, Cloudflare-fronted) -> service web Domain ID: a821c9d1-f0dd-4f41-af17-273a4e3ec36d
Edge: 3ha4z0ih.up.railway.app
DNS prober currentValue is empty because Cloudflare auto-flattens apex CNAMEs. Apex TLS is handled by Cloudflare's universal SSL; this domain only needs Railway routing, not a Railway cert. Verified working: - DNS resolves correctly via 1.1.1.1 and 8.8.8.8 (CNAMEs DNS-only, not CF-proxied for www/api)
- HTTP edge serves 301->https on www.claudecerts.com and accepts /.well-known/acme-challenge/ (railway-edge response, not x-railway-fallback)
- Service URLs healthy: web-production-1c4a9.up.railway.app returns 307, api-production-291d.up.railway.app/api/health/ returns 200
- Latest deploys both SUCCESS in ~90s Already tried:
- customDomainUpdate (returns true, no state change)
- Full detach + reattach cycle twice (new edge targets each time, all stuck the same way)
- serviceInstanceRedeploy on both services - serviceInstanceDeployV2 with latest commit SHA No public mutation exists to expedite the LE pipeline (no verifyDomain, no reissueCertificate, cdnMode is read-only). Could you check the LE issuance queue for these three domain IDs? Confirming whether it's queue backlog vs an account rate limit would help me decide whether to keep waiting.
Thanks,
Solomon
Pinned Solution
15 days ago
I checked your DNS records; it appreas you haven't configured the TXT record for your domain. Railway uses the TXT record to confirm domain ownership. You need to configure it to resolve this issue.
3 Replies
15 days ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • 15 days ago
15 days ago
I checked your DNS records; it appreas you haven't configured the TXT record for your domain. Railway uses the TXT record to confirm domain ownership. You need to configure it to resolve this issue.
15 days ago
My guess is either:
- a backlog in the cert issuance workers
- an internal Railway issue with LE validation jobs
- or some hidden rate-limit/cooldown state that isn’t exposed publicly
I’d leave the domains attached as they are for now and let the Railway team inspect the queue/logs for those domain IDs directly.
darseen
I checked your DNS records; it appreas you haven't configured the `TXT` record for your domain. Railway uses the `TXT` record to confirm domain ownership. You need to configure it to resolve this issue.
15 days ago
This resolved the issue. Thank you
Status changed to Solved mykal • 15 days ago