a month ago
Hi — I've added slopless.work (and www.slopless.work) as custom domains on my service (slopless-work / slopless / production), but browsers get ERR_SSL_PROTOCOL_ERROR. Railway does not appear to have issued a certificate.
What I've verified:
1. DNS is correct and pointing directly at Railway (Cloudflare proxy is OFF / grey cloud):
- CNAME @ → 2iww727m.up.railway.app
- CNAME www → sv151ixf.up.railway.app
- TXT _railway-verify → set per dashboard instructions
- dig slopless.work +short returns 151.101.2.15 (Railway's Fastly edge) ✓
- dig www.slopless.work +short returns 151.101.2.15 ✓
2. The app itself is working — hitting the Railway edge with the custom Host header returns the app correctly:
curl -sSI -H "Host: slopless.work" https://2iww727m.up.railway.app
→ HTTP/2 200, server: railway-edge, x-nextjs-cache: HIT
3. The TLS handshake to slopless.work:443 fails before any cert is presented:
openssl s_client -connect slopless.work:443 -servername slopless.work
→ "no peer certificate available"
→ curl: "error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version"
4. Port 80 on slopless.work unexpectedly returns a 302 to https://www.safebrowse.io/warn.html. I suspect this is intercepting Let's Encrypt HTTP-01 challenges and preventing cert issuance:
curl -sSI http://slopless.work
→ HTTP/1.1 302 Found
→ Location: https://www.safebrowse.io/warn.html?url=http://slopless.work/&token=1dd35cc0
I've already tried removing and re-adding the custom domain in the Railway dashboard, and waiting an hour before I did that. Could you check the cert-issuance logs on your side and confirm? Happy to provide anything else you need (e.g. pictures).
Thanks!
Xiangan
Pinned Solution
24 days ago
Have you tried accessing the site from a different device?
And no, each hostname has a limit of 5 LE certs per week. If you do hit that limit, you'd need to wait till next week for it to reset.
13 Replies
a month ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • 29 days ago
a month ago
Try accessing the site on an incognito window. Your browser may be caching stale certificates.
Attachments
24 days ago
Unfortunately I had already tried this and it's not working for me... Strange that it's working for you though...
I tried the following:
1. Cleared HSTS pin for the domain
- Go to
chrome://net-internals/#hsts - Scroll to Delete domain security policies
- Enter
slopless.work→ click Delete - Repeat for
www.slopless.work
2. Flush DNS + socket pools (clears in-memory cert cache)
chrome://net-internals/#sockets→ Flush socket poolschrome://net-internals/#dns→ Clear host cache
3. Clear browsing data
Cmd+Shift+Delete(Mac) /Ctrl+Shift+Delete(Windows)- Time range: All time
- Check: Cached images and files + Cookies and other site data
- Clear
4. Restart the browser — closes any keepalive TLS sessions
After all that, hit https://slopless.work fresh.
Looking deeper, the apex slopless.work is serving no certificate at all (TLS handshake fails with tlsv1 alert protocol version), while www.slopless.work has a valid Let's Encrypt cert. Railway shows "Failed to issue TLS certificate — Let's Encrypt rate limit reached" on the apex domain.
So this looks like a server-side cert issuance issue, not browser cache. Any way to bump the rate limit or force a re-issue?
Attachments
24 days ago
Have you tried accessing the site from a different device?
And no, each hostname has a limit of 5 LE certs per week. If you do hit that limit, you'd need to wait till next week for it to reset.
24 days ago
Yes, I have tried to access the site from a different device - for some reason (I didn't change anything) - it had started to work just now.
It may have been the certs and needing to wait a whole week for it to reset... Thank you for your hlep.
Status changed to Solved 0x5b62656e5d • 24 days ago
15 days ago
Hi, I'd like to flag another issue.
The same issue has occurred after a while on its own, please see the attached screenshot.
Would love to get some assistance. Nothing has been changed about the way the app is deployed on Railway.
Attachments
Status changed to Awaiting Railway Response Railway • 15 days ago
xbalbinus
Hi, I'd like to flag another issue. The same issue has occurred after a while on its own, please see the attached screenshot. Would love to get some assistance. Nothing has been changed about the way the app is deployed on Railway.
10 days ago
Check if the DNS records that Railway needs is the same as what you currently have in Cloudflare. I'm currently getting a Cloudflare 1016 error when trying to access www.slopless.work and slopless.work. Also, for the rate limit, you'd unfortunately just need to wait it out (a week usually). This is LE's rate limit of 5 certificates per hostname per week, Railway can't do anything about it.
9 days ago
Got it - and do you know how I can manually retry the cert issuance process? Or does Railway's DNS feature handle that for me?
9 days ago
Would you mind trying it again? I removed the DNS records a day ago and re-did it.
xbalbinus
Got it - and do you know how I can manually retry the cert issuance process? Or does Railway's DNS feature handle that for me?
9 days ago
Railway’s system should automatically retry. If the certificate isn’t issued within a day, I’d try removing the domain from Railway and adding it back after ~10-15 min. Make sure to update DNS records if necessary.
xbalbinus
Would you mind trying it again? I removed the DNS records a day ago and re-did it.
9 days ago
Also, I’m able to access both your root domain and www just fine. Try accessing it from an incognito window or a different device if you’re getting any SSL errors.
9 days ago
Even from an incognito window, unfortunately still I'm getting the same SSL errors. Is there a way to potentially clear the cache on my machine that I'm supposed to try?
9 days ago
Are you able to access the site on a different device connected to a different network?