Hey there! We've found the following might help you get unblocked faster:

• 📚 Public Networking

• 📚 Public Networking

• 🧵 Railway is stuck on "Issuing TLS Certificate" for my wildcard

If you find the answer from one of these, please let us know by solving the thread!

Could you try removing it (along with all the DNS records you've set) and re-adding it again?

i did 2 hrs ago, and the state now is

it still the same

btw, i have other services with the same domain and is proxied by cloudflare, only workspace is not proxied (wild)

failed and clicked try again, returning to the same status "Certificate Authority iS validating Challenges"

Hey there!

We're noticing that our upstream provider of certificate validation is having an incident.

I did go into detail and check a few things and I think your certificate, acme challenge, etc are all in good order. We'll just have to wait for their incident to resolve itself.

https://letsencrypt.status.io/

I'm keeping a close eye on this will and give it a retry for you once things are resolved.

I confirmed this over at Let's Debug, which is currently returning an internal error for Let's Encrypt services -- https://letsdebug.net/letsdebug.net/2647129

Unfortunately there's nothing we can do until Let's Encrypt's service is back online.

can i use proxied services from Cloudflare for wild cards to skip let's encrypt issues?

Unfortunately no, we use Let's Encrypt internally to validate your certificate.

The Let's Encrypt issue has been resolved, however DNS-01 queries from your domain are still failing for reasons I don't understand. I'm going to escalate this internally to see if we can find an answer for you.

thank you, do we have any progress? i keep clicking try again but i think that won't change anything

any news? i need to run the service app????

Hey there!

I'm looking deeper at your service and it looks like you have an invalid txt record that is blocking the validation: https://acme-v02.api.letsencrypt.org/acme/authz/924237717/627957532526

So you'd need to remove the invalid txt record and use CNAME flattening in order to validate the domain.

The TXT record and the CNAME record are conflicting here -- you cannot have both a CNAME and other record types for the same DNS name.

You can check with dig dig _acme-challenge.neizam.com TXT +short to see the TXT records.

Once you remove the invalid records, you can try again.

i deleted the only TXT recored and it was for the mail, but whatever i deleted it,, and still falling

the only _acme-challenge was set for railway service from the beginning

Hi there, I'm really sorry this you still haven't been able to get this sorted.

Since the certificate is still having trouble validating, could you run run dig _acme-challenge.neizam.com CNAME +short to confirm it's set up correctly and check dig _acme-challenge.neizam.com TXT +short to make sure that TXT record is actually gone (propagation can take a bit, so if it's still showing up, give it some time)

Once you've verified those things, try removing the wildcard domain from Railway entirely, wait a few minutes, then add it back fresh. That often clears up lingering validation issues.

If it's still not working after that, share the output from those dig commands and we can take a closer look at what's happening.

Best, The Railway Team

Hi, thank you for your reply, actually i now understand the issue, the dns setup on my cloudflare account was already correct, there were no txt records there,
the issue was the cloudflare universal ssl settings, that was the one creating internal txt records for the domain ssl cert, once i disabled this option, the TXT records shown in dig command are now gone, i deleted the domain, re added it and modified to the new dns records, now it works,

Thank you everyone

For anyone coming to this thread, shor answer is,
Disable Cloudflare>SSL/TLS>Edge Certificates>Universal SSL

then re-add your domain to the service