SSL Certificate Error on Custom Domain
kamkara
HOBBYOP

a month ago

Issue Summary

Both domain.com (root domain) and www.domain.com (subdomain) are displaying SSL security errors despite following Railway's DNS configuration instructions. The www subdomain shows "Setup complete" in Railway dashboard, but both domains remain inaccessible due to SSL errors.

Domain Configuration Details

Domain:domain.com
DNS Provider: Hostinger
Railway Project: App.myapp
Environment: Production

Steps Taken

  1. Added custom domains on Railway:

    • www.domain.com

    • domain.com

  2. Configured DNS records on Hostinger according to Railway instructions:

    • www subdomain: CNAME → 6glk0fbe.up.railway.app (TTL: 3000)

    • Root domain: CNAME → l3lxj6zv.up.railway.app (as instructed by Railway)

  3. DNS Propagation confirmed (waited 72+ hours)

  4. Tested connectivity:

bash

   curl -I https://www.domain.com
   # Result: HTTP/2 200 (connection works, but browser shows SSL error)
   
   curl -I https://domain.com
   # Result: SSL error (35) OpenSSL routines::tlsv1 alert internal error
   
   openssl s_client -connect domain.com:443 -servername domain.com
   # Result: error:10080002:BIO routines:BIO_lookup_ex:system lib

Attachments

Capture%20d...
Solved$10 Bounty

7 Replies

Railway
BOT

a month ago

Hey there! We've found the following might help you get unblocked faster:

If you find the answer from one of these, please let us know by solving the thread!

kamkara
HOBBYOP

a month ago

others screen-shorts

Attachments

Capture%20d...
Capture%20d...
Capture%20d...
Capture%20d...
Capture%20d...
realdonalfred
PRO

a month ago

Check your explorer cache, try using incongnito mode or another explorer.

realdonalfred
PRO

a month ago

SSL Works fine: https://www.sslshopper.com/ssl-checker.html#hostname=http://lnclass.com/ and for the sub-domain: https://www.sslshopper.com/ssl-checker.html#hostname=http://www.lnclass.com/
Maybe it'ts your browser cache.

Don't forget mark the issue as resolved. After it i can receive my bounty.

Let me know if you have more questions.

realdonalfred
PRO

a month ago

!s

pray1
kamkara
HOBBYOP

11 days ago

Technical Summary

How to Fix SSL Errors and “Deceptive Site Ahead” Warnings when Using Railway + Cloudflare + External Domain

This documentation summarizes a real issue encountered while connecting domain.com to a Railway project using Cloudflare as a proxy.

Several users may face SSL failures or browser security warnings even after configuring their domains correctly.
These are the most common symptoms:

  • “Your connection is not private”

  • “Deceptive site ahead” (Google Safe Browsing)

  • SSL works on some browsers but not others

  • “Too many redirects”

  • Red SSL error on Chrome/Brave/Firefox, but OK on Samsung Internet/Safari

Root Causes

In every case, the issue is not related to Railway itself, but caused by one or more of the following:

  1. Conflicting or outdated DNS entries in Cloudflare

  2. Apex domain using incorrect A records

  3. Domain added to multiple Cloudflare accounts

  4. Cloudflare SSL mode set to Flexible

  5. Excessive or invalid CAA records

  6. Domain flagged by Google Safe Browsing due to previous SSL/DNS instability

Verified Solution Steps

1. Ensure the domain is active in only ONE Cloudflare account

Multiple zones for the same domain cause certificate conflicts.

2. Clean and standardize the DNS configuration

Correct Cloudflare DNS:

CNAME   domain.com      <project>.up.railway.app   (Proxy ON)
CNAME   www             domain.com                 (Proxy ON)

Remove:

  • all A records

  • all duplicate or outdated CNAMEs

  • unused AAAA records

  • unnecessary CAA entries

Minimal recommended CAA:

CAA 0 issue "letsencrypt.org"
CAA 0 issuewild "letsencrypt.org"

3. Configure Cloudflare SSL properly

Cloudflare → SSL/TLS:

  • Full (strict)

  • Universal SSL: Enabled

  • Always Use HTTPS: ON

  • Automatic HTTPS Rewrites: ON

  • Never use Flexible SSL

4. Add both domains in Railway

Railway → Networking:

Railway automatically validates the CNAME configuration.

5. Purge Cloudflare cache

Cloudflare → Caching → Purge Everything

6. Check Google Safe Browsing

If the domain still shows danger warnings, verify:

https://transparencyreport.google.com/safe-browsing/search

If flagged, request a review here:

https://safebrowsing.google.com/safebrowsing/report_error/

Browser warnings will disappear within 24–72 hours after Google revalidates the domain.

Final Result

After applying these steps:

  • SSL becomes stable for both apex and www

  • No more red security banners on Chrome/Firefox/Brave

  • No more redirect loops

  • Cloudflare/Google/Railway all validate the domain correctly

This workflow solves 100% of SSL and “dangerous site” cases involving Cloudflare + Railway.

thank you @realdonalfred

Attachments

Capture%20d...

realdonalfred

!s

kamkara
HOBBYOP

11 days ago

thank you

Status changed to Open ray-chen 11 days ago

Status changed to Solved ray-chen 11 days ago

Loading...