2 days ago
We had a previously issued SSL that was failing to renew. We tried a few times to renew that SSL certificate before recreating it to ensure our DNS was not misconfigured.
I'm unable to get this SSL certificate issued for the following domain now. It's currently sitting on Certificate Authority is validating challenges, but I'm guessing that will fail as well, as we've seen similar messages previously.
Domain: *.mapped.store
DNS is on Cloudflare; we don't have any Cloudflare proxies enabled on these records currently, nor did we during the initial renewal issue.
8 Replies
Status changed to Open Railway • 2 days ago
2 days ago
Make sure the SSL is set to Full instead of Full Strict in your Cloudflare settings.
2 days ago
If the certificate isn’t issued within a day, I’d try removing the domain from Railway and add it back after ~10-15 mins. Make sure to update DNS records if necessary.
2 days ago
Hmm ok so full strict was on, pretty sure this was on when it issued the cert the first time as well. I'm still not seeing the cert get issued as of now with it set to full instead. Will double check again tomorrow.
2 days ago
This morning it doesn't appear to have issued a certificate and is saying "An internal error occurred. Please retry or contact support."
2 days ago
It did not resolve it
2 days ago
Since Full vs Full Strict and a remove/re-add did not clear it, I would treat this as a wildcard-validation problem rather than a normal app-routing problem.
For a Railway wildcard domain on Cloudflare, check these records separately:
- wildcard CNAME for *.mapped.store -> Railway target
- _acme-challenge CNAME -> Railway ACME/challenge target, set to DNS-only / grey cloud
- TXT ownership record exactly as Railway shows it
The _acme-challenge record is the easy one to miss. Railway's current domain docs call out that wildcard domains get two CNAMEs plus a TXT record, and the _acme-challenge CNAME is required for certificate issuance. Also check CAA at the zone apex: if there are CAA records, they must allow Let's Encrypt / letsencrypt.org, otherwise validation can sit in "Certificate Authority is validating challenges" and eventually fail.
If all three DNS records and CAA are correct and it still says "internal error" after re-adding, I would stop retrying and give Railway the custom domain ID plus the exact generated CNAME/TXT/_acme-challenge values. At that point the failure is likely in the cert issuance job/state for that wildcard domain, not Cloudflare proxy mode.
2 days ago
There are no CAA records.
We've configured three records for the wild card (used the copy button) and I confirmed them by watching the UI get the green check marks where it displays the records. I also confirmed as part of our last readd to make sure all was good after we disabled the Full Strict.
Agreed on waiting for Railway (have been at this point since last evening) but I'm not sure where the "custom domain id" is.