SSL Failing to Issue
kennyl
PROOP

a month ago

We had a previously issued SSL that was failing to renew. We tried a few times to renew that SSL certificate before recreating it to ensure our DNS was not misconfigured.

I'm unable to get this SSL certificate issued for the following domain now. It's currently sitting on Certificate Authority is validating challenges, but I'm guessing that will fail as well, as we've seen similar messages previously.

Domain: *.mapped.store

DNS is on Cloudflare; we don't have any Cloudflare proxies enabled on these records currently, nor did we during the initial renewal issue.

$20 Bounty

12 Replies

Status changed to Open Railway 28 days ago

0x5b62656e5d
MODERATOR

a month ago

Make sure the SSL is set to Full instead of Full Strict in your Cloudflare settings.

0x5b62656e5d
MODERATOR

a month ago

If the certificate isn’t issued within a day, I’d try removing the domain from Railway and add it back after ~10-15 mins. Make sure to update DNS records if necessary.

kennyl
PROOP

a month ago

Hmm ok so full strict was on, pretty sure this was on when it issued the cert the first time as well. I'm still not seeing the cert get issued as of now with it set to full instead. Will double check again tomorrow.

kennyl
PROOP

a month ago

This morning it doesn't appear to have issued a certificate and is saying "An internal error occurred. Please retry or contact support."

0x5b62656e5d
MODERATOR

a month ago

Did removing and readding the domain fix it?

kennyl
PROOP

a month ago

It did not resolve it

abergelnathan
FREETop 10% Contributor

a month ago

Since Full vs Full Strict and a remove/re-add did not clear it, I would treat this as a wildcard-validation problem rather than a normal app-routing problem.

For a Railway wildcard domain on Cloudflare, check these records separately:

- wildcard CNAME for *.mapped.store -> Railway target

- _acme-challenge CNAME -> Railway ACME/challenge target, set to DNS-only / grey cloud

- TXT ownership record exactly as Railway shows it

The _acme-challenge record is the easy one to miss. Railway's current domain docs call out that wildcard domains get two CNAMEs plus a TXT record, and the _acme-challenge CNAME is required for certificate issuance. Also check CAA at the zone apex: if there are CAA records, they must allow Let's Encrypt / letsencrypt.org, otherwise validation can sit in "Certificate Authority is validating challenges" and eventually fail.

If all three DNS records and CAA are correct and it still says "internal error" after re-adding, I would stop retrying and give Railway the custom domain ID plus the exact generated CNAME/TXT/_acme-challenge values. At that point the failure is likely in the cert issuance job/state for that wildcard domain, not Cloudflare proxy mode.

kennyl
PROOP

a month ago

There are no CAA records.

We've configured three records for the wild card (used the copy button) and I confirmed them by watching the UI get the green check marks where it displays the records. I also confirmed as part of our last readd to make sure all was good after we disabled the Full Strict.

Agreed on waiting for Railway (have been at this point since last evening) but I'm not sure where the "custom domain id" is.

kennyl
PROOP

25 days ago

I'm still currently in the same spot with this and unable to issue a certificate

kennyl
PROOP

24 days ago

this needs Railway staff to retry/requeue issuance for that custom domain.

I think that's where I'm at with this, as I don't want to keep removing/re-adding the domain to check anything else.

As far as I know, the DNS records match what was displayed last, but I can't get the window to reappear in the "Public Networking" custom domain configuration. I know that when we added them, we watched them go green before the system attempted to issue a cert.

Dumb question, what do I need to do to get Railway to take a look at this?

kennyl
PROOP

24 days ago

API request from network browser showing the status of the DNS and SSL issuance:

{

"dnsRecords": [

{

"hostlabel": "*",

"fqdn": "*.mapped.store",

"recordType": "DNS_RECORD_TYPE_CNAME",

"requiredValue": "01591llm.up.railway.app",

"currentValue": "01591llm.up.railway.app",

"status": "DNS_RECORD_STATUS_PROPAGATED",

"zone": "mapped.store",

"purpose": "DNS_RECORD_PURPOSE_TRAFFIC_ROUTE"

},

{

"hostlabel": "_acme-challenge",

"fqdn": "_acme-challenge.mapped.store",

"recordType": "DNS_RECORD_TYPE_CNAME",

"requiredValue": "01591llm.authorize.railwaydns.net",

"currentValue": "01591llm.authorize.railwaydns.net",

"status": "DNS_RECORD_STATUS_PROPAGATED",

"zone": "mapped.store",

"purpose": "DNS_RECORD_PURPOSE_ACME_DNS01_CHALLENGE"

}

],

"cdnProvider": null,

"certificates": [],

"certificateStatus": "CERTIFICATE_STATUS_TYPE_ISSUE_FAILED",

"certificateStatusDetailed": "CERTIFICATE_STATUS_TYPE_DETAILED_FAILED",

"certificateErrorMessage": "An internal error occurred. Please retry or contact support.",

"certificateErrorType": "CERTIFICATE_ERROR_TYPE_INTERNAL",

"certificateRetryable": true,

"verified": true,

"verificationToken": "railway-verify=b125a4ee75b97ce0079dbfb1d66723efd1dbb7d71a9206f79c4ad526e02fa52a",

"verificationDnsHost": "_railway-verify",

"domainConnect": null

}

I think, based on this, the DNS is all configured correctly.

I've confirmed

- SSL mode in Cloudflare is set to Full, but notFull Strict.

- We aren't proxying any of the Railway items on Cloudflare (cloud is gray, not orange)

Any other thoughts would be appreciated, as it sounds like Railway doesn't look at "Domain setup threads".

kennyl
PROOP

20 days ago

So I recreated the custom domain in Railway and am still having the issue:

[

{

"id": "a9be102b-463f-4d7b-a531-2318d938a0c0",

"domain": "*.mapped.store",

"createdAt": "2026-05-19T02:16:18.163Z",

"updatedAt": "2026-05-19T02:16:18.930Z",

"serviceId": "23b88773-758c-41f1-950e-c23c29ea099f",

"environmentId": "c49311d4-b308-4866-868c-2f3e67f59ab0",

"projectId": "70b582c3-00de-47d9-849b-1bf20860d3be",

"targetPort": 80,

"cdnMode": "off",

"edgeId": "edge-500b32d4e9aaa4d3ff91d6ebb54285cd",

"syncStatus": "ACTIVE",

"isRailwayDomain": false,

"status": {

  "dnsRecords": [

    {

      "hostlabel": "*",

      "fqdn": "*.mapped.store",

      "recordType": "DNS_RECORD_TYPE_CNAME",

      "requiredValue": "tv6y1m4y.up.railway.app",

      "currentValue": "tv6y1m4y.up.railway.app",

      "status": "DNS_RECORD_STATUS_PROPAGATED",

      "zone": "mapped.store",

      "purpose": "DNS_RECORD_PURPOSE_TRAFFIC_ROUTE"

    },

    {

      "hostlabel": "_acme-challenge",

      "fqdn": "_acme-challenge.mapped.store",

      "recordType": "DNS_RECORD_TYPE_CNAME",

      "requiredValue": "tv6y1m4y.authorize.railwaydns.net",

      "currentValue": "tv6y1m4y.authorize.railwaydns.net",

      "status": "DNS_RECORD_STATUS_PROPAGATED",

      "zone": "mapped.store",

      "purpose": "DNS_RECORD_PURPOSE_ACME_DNS01_CHALLENGE"

    }

  ],

  "cdnProvider": null,

  "certificates": [],

  "certificateStatus": "CERTIFICATE_STATUS_TYPE_ISSUE_FAILED",

  "certificateStatusDetailed": "CERTIFICATE_STATUS_TYPE_DETAILED_FAILED",

  "certificateErrorMessage": "An internal error occurred. Please retry or contact support.",

  "certificateErrorType": "CERTIFICATE_ERROR_TYPE_INTERNAL",

  "certificateRetryable": true,

  "verified": true,

  "verificationToken": "railway-verify=b125a4ee75b97ce0079dbfb1d66723efd1dbb7d71a9206f79c4ad526e02fa52a",

  "verificationDnsHost": "_railway-verify",

  "domainConnect": null

}

}

]

Welcome!

Sign in to your Railway account to join the conversation.

Login
Loading...