14 days ago
Hello Railway Support,
I'm experiencing an SSL certificate issue with my custom domains.
I have both:
- flowsynai.com
- *.flowsynai.com
configured on Railway.
The wildcard domain appears to be working correctly, but the root domain (flowsynai.com) is presenting a certificate mismatch error. It looks like the wildcard certificate is being served, but it does not properly match the apex domain.
As a result, accessing https://flowsynai.com returns an SSL certificate error, while wildcard subdomains continue to work.
Could you please investigate the certificate provisioning and ensure that flowsynai.com is included correctly alongside the wildcard domain?
Thank you.
16 Replies
14 days ago
This thread has been opened as a bounty so the community can help solve it.
Status changed to Open Railway • 14 days ago
14 days ago
its been going on and off
14 days ago
This is all i have set
14 days ago
This are the records on railway
Attachments
14 days ago
this is for wildcart *flowsynai.com
Attachments
14 days ago
This how i set everything still the ssl comes up frequently i will still watch for some days
14 days ago
Did you check screenshoots i attached
14 days ago
Okay I will wait for few days again and see if this is totally fixed
13 days ago
Same thing on nahltime.com — apex served the *.nahltime.com wildcard (ERR_CERT_COMMON_NAME_INVALID) even though the apex cert was issued (saw it in CT logs) but never bound to the edge. Worked for weeks, broke after a wildcard renewal, and remove/re-add only helped for a few hours while burning the LE weekly cert limit. Fix that worked: apex behind Cloudflare proxied (orange) with SSL/TLS = Full, subdomains left grey — Cloudflare serves its own apex cert so Railway's broken edge never comes into it. Grey/DNS-only did nothing; only proxying worked. It's a workaround though — the real bug is Railway not binding the issued apex cert.
alialabdrabulrasul
Same thing on nahltime.com — apex served the *.nahltime.com wildcard (ERR_CERT_COMMON_NAME_INVALID) even though the apex cert was issued (saw it in CT logs) but never bound to the edge. Worked for weeks, broke after a wildcard renewal, and remove/re-add only helped for a few hours while burning the LE weekly cert limit. Fix that worked: apex behind Cloudflare proxied (orange) with SSL/TLS = Full, subdomains left grey — Cloudflare serves its own apex cert so Railway's broken edge never comes into it. Grey/DNS-only did nothing; only proxying worked. It's a workaround though — the real bug is Railway not binding the issued apex cert.
13 days ago
Yes exactly mine is working fine now i add to remove the main domian and readd again but this is the second time am having this same issue this week so am on watch reasons why am waiting to see whatsup before closing this ticket
12 days ago
Hello everyone the issue has started again https://flowsynai.com
12 days ago
I’m seeing the same failure pattern on another Railway-hosted domain, so this does not look isolated!!
Setup pattern:
Apex/root custom domain configured on Railway
Wildcard custom domain also configured on Railway
Wildcard subdomains continue to work
Apex/root domain intermittently gets served the wildcard-only certificate
Browser fails with ERR_CERT_COMMON_NAME_INVALID because *.example.com does not cover example.com
I verified this with openssl s_client -servername against the Railway edge IP. The certificate returned for the apex SNI only contained the wildcard SAN, not the apex hostname.
This looks less like a DNS issue and more like a Railway Edge SNI certificate binding issue, where the issued apex certificate is either not being selected or not being bound correctly at the edge.
Removing and re-adding the domain may temporarily help, but it risks burning Let’s Encrypt weekly duplicate certificate limits and does not seem to address the underlying edge binding problem.
Railway should probably investigate the certificate binding / SNI cert map for setups that include both:
example.com
*.example.com
12 days ago
Exactly how can we reachout to railway to solve this now
12 days ago
This is railway issue, they are ignoring my HTTPS cert issues too. All of my sites are offline. They do not care
12 days ago
Wow that means we all in this together am not the only one
12 days ago
Have been able to fixed issue finally myself