For wildcard domains, we handle the TXT record management automatically - you add a CNAME for _acme-challenge pointing to authorize.railwaydns.net, and we manage the actual TXT records on our end for certificate validation. The most common cause of Error 525 with Cloudflare wildcards is the _acme-challenge CNAME being proxied (orange cloud) when it must be DNS-only (grey cloud). Can you confirm the _acme-challenge record is set to grey cloud, Universal SSL is enabled, and SSL/TLS mode is set to Full (not Full Strict)?

Cloudflare was set as grey cloud, FULL (not Full Strict), Universal SSL is enabled. I updated the CNAME to [authorize.railwaydns.net](authorize.railwaydns.net)
but that didnt work, reverted it back to what Railway settings said, and it did work. So im not sure what the learning point there was. But happy its working.

Apologies for previously sending generic values. Glad you got it working. Certificate issuance can sometimes just need time to propagate (typically up to an hour, occasionally longer).

Sorry this took longer than it should of. Let us know if you need further help.