17 days ago
Hi — I've added slopless.work (and www.slopless.work) as custom domains on my service (slopless-work / slopless / production), but browsers get ERR_SSL_PROTOCOL_ERROR. Railway does not appear to have issued a certificate.
What I've verified:
1. DNS is correct and pointing directly at Railway (Cloudflare proxy is OFF / grey cloud):
- CNAME @ → 2iww727m.up.railway.app
- CNAME www → sv151ixf.up.railway.app
- TXT _railway-verify → set per dashboard instructions
- dig slopless.work +short returns 151.101.2.15 (Railway's Fastly edge) ✓
- dig www.slopless.work +short returns 151.101.2.15 ✓
2. The app itself is working — hitting the Railway edge with the custom Host header returns the app correctly:
curl -sSI -H "Host: slopless.work" https://2iww727m.up.railway.app
→ HTTP/2 200, server: railway-edge, x-nextjs-cache: HIT
3. The TLS handshake to slopless.work:443 fails before any cert is presented:
openssl s_client -connect slopless.work:443 -servername slopless.work
→ "no peer certificate available"
→ curl: "error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version"
4. Port 80 on slopless.work unexpectedly returns a 302 to https://www.safebrowse.io/warn.html. I suspect this is intercepting Let's Encrypt HTTP-01 challenges and preventing cert issuance:
curl -sSI http://slopless.work
→ HTTP/1.1 302 Found
→ Location: https://www.safebrowse.io/warn.html?url=http://slopless.work/&token=1dd35cc0
I've already tried removing and re-adding the custom domain in the Railway dashboard, and waiting an hour before I did that. Could you check the cert-issuance logs on your side and confirm? Happy to provide anything else you need (e.g. pictures).
Thanks!
Xiangan
Pinned Solution
12 days ago
Have you tried accessing the site from a different device?
And no, each hostname has a limit of 5 LE certs per week. If you do hit that limit, you'd need to wait till next week for it to reset.
5 Replies
17 days ago
This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.
Status changed to Open Railway • 17 days ago
17 days ago
Try accessing the site on an incognito window. Your browser may be caching stale certificates.
Attachments
12 days ago
Unfortunately I had already tried this and it's not working for me... Strange that it's working for you though...
I tried the following:
1. Cleared HSTS pin for the domain
Go to
chrome://net-internals/#hstsScroll to Delete domain security policies
Enter
slopless.work→ click DeleteRepeat for
www.slopless.work
2. Flush DNS + socket pools (clears in-memory cert cache)
chrome://net-internals/#sockets→ Flush socket poolschrome://net-internals/#dns→ Clear host cache
3. Clear browsing data
Cmd+Shift+Delete(Mac) /Ctrl+Shift+Delete(Windows)Time range: All time
Check: Cached images and files + Cookies and other site data
Clear
4. Restart the browser — closes any keepalive TLS sessions
After all that, hit https://slopless.work fresh.
Looking deeper, the apex slopless.work is serving no certificate at all (TLS handshake fails with tlsv1 alert protocol version), while www.slopless.work has a valid Let's Encrypt cert. Railway shows "Failed to issue TLS certificate — Let's Encrypt rate limit reached" on the apex domain.
So this looks like a server-side cert issuance issue, not browser cache. Any way to bump the rate limit or force a re-issue?
Attachments
12 days ago
Have you tried accessing the site from a different device?
And no, each hostname has a limit of 5 LE certs per week. If you do hit that limit, you'd need to wait till next week for it to reset.
12 days ago
Yes, I have tried to access the site from a different device - for some reason (I didn't change anything) - it had started to work just now.
It may have been the certs and needing to wait a whole week for it to reset... Thank you for your hlep.
Status changed to Solved 0x5b62656e5d • 12 days ago
3 days ago
Hi, I'd like to flag another issue.
The same issue has occurred after a while on its own, please see the attached screenshot.
Would love to get some assistance. Nothing has been changed about the way the app is deployed on Railway.
Attachments
Status changed to Awaiting Railway Response Railway • 3 days ago