Service: MASKED

Project: MASKED (production environment)

Domain: MASKED

Region: europe-west4-drams3a

Railway URL: MASKED

---

Issue:

Custom domain MASKED has been stuck on "Certificate Authority is validating challenges" for over an hour. The CNAME is fully propagated and verified (green tick in Railway dashboard), but SSL cert provisioning never completes.

---

Steps taken:

1. Added MASKED as a custom domain — CNAME verified, cert stuck on CA validation

2. Deleted and re-added after ~30 mins (as suggested) — CNAME verified immediately, cert still stuck

3. Consulted Railway AI support agent — advised to wait 5 minutes and re-add with a longer gap

4. Deleted domain at 19:44, re-added at 20:28 (44 minute gap) — CNAME verified immediately again, cert still stuck on CA validation at 20:50

Three attempts total. Each time the CNAME verifies quickly but cert provisioning hangs at the same step.

---

DNS records (Namecheap):

- CNAME: MASKED

- TXT: MASKED

Cloudflare DNS lookup confirms:

• MASKED CNAME → MASKED

- Resolves to IPv4: MASKED

CAA records: None configured — MASKED returns only the CNAME. Let's Encrypt is not being blocked.

---

Additional context:

I'm investigating a related issue where HTTP requests from an iOS simulator to MASKED return MASKED with MASKED in the response headers - despite identical requests working correctly via curl from the same machine. The custom domain was added as an alternative routing path to investigate this. It's possible the same edge routing issue is preventing Let's Encrypt's ACME challenge from being served correctly.

HTTP curl to the domain returns a 301 redirect to HTTPS before the ACME challenge can be resolved.

---

Request:

Please can a Railway team member manually trigger SSL cert provisioning for MASKED on service MASKED, and if possible investigate why MASKED is being returned for certain clients on the MASKED domain.