a month ago
I have been trying to configure custom subdomain, which is supposed to bypass Cloudflare proxy and use only DNS record at Cloudflare.
However, I have been largely unsuccessful as there is an issue with SSL certificate.
As far as I'm aware, then Railway auto-generates new certificate for each custom domain created.
When it's proxied via Cloudflare, then there is no problem and everything works.
However, issue starts, when trying to bypass Cloudflare in DNS only mode.
Custom domain only generates the CNAME record, but no _acme-challenge or some other record for the SSL handshake between other service and Railway.
The general issue and reason for bypassing Cloudflare proxy here is as follows:
Sub-domain is meant for specific geographical location.
Given location is throttling down the Cloudflare originating traffic.
Due to this we want to route the subdomain via alternative CDN provider.
It has been working for about 2 weeks, although the custom domain config was still showing the custom domain as incorrectly configured.
In last 2 days an issue occurred, where browser now states, that there is invalid certificate, which is only valid for the CDN specific address records and therefore HSTS stops the site from loading.
3 Replies
So, the question is - How can I route subdomain via another CDN while bypassing the Cloudflare, which we use for our global traffic?
a month ago
Your alternative CDN needs to handle SSL for your subdomain since Railway can’t renew its Let’s Encrypt cert when traffic goes through another CDN first. That’s why it worked for 2 weeks then broke, the cert expired and the ACME challenge couldn’t reach Railway to renew it.
Set up your alternative CDN to issue its own SSL cert for the subdomain, then configure Railway’s default xxx.up.railway.app domain as the origin. The CDN handles user-facing SSL and connects to Railway using Railway’s own cert on the backend.
Okay, this is helpful and I understand the issue now.
Thanks for the info.
However, I still do have question in regards to the ACME challenge.
I found some older documentation of Railway, where it was stated, that ACME challenge record has to be in the DNS records for that given Railway subdomain and the record was supposed to be generated when generated the new custom domain.
That is not the case, so I would like a clarification about that - is that now happening automatically (or differently) or do I still need the ACME challenge in my DNS records separately for that given subdomain?