TLS cert blocked by Let's Encrypt rate limit — need manual issuance for custom domain (no re-add)
wombleferret
PROOP

22 days ago

Project / service: epl-draft (production environment) — project ID 4fcddbbc-872c-432b-8ac4-4354a6de1785

Affected domain: www.futinho.com

Working domain on the same service (for comparison): www.soccergy.com (HTTP 200, cert fine)

Summary:

www.futinho.com is attached to the service and verifies fine, but the cert won't issue. The dashboard shows:

▎ Failed to issue TLS certificate — Let's Encrypt rate limit reached. Please wait before retrying. This error cannot be

▎ automatically retried. Please check your DNS configuration or contact support.

Every HTTPS request fails the TLS handshake (curl → HTTP 000). This is not a DNS misconfiguration — it's the LE rate limit,

triggered by repeated delete/re-adds of the domain while troubleshooting a separate outage earlier today.

Background (what caused it):

Earlier today www.futinho.com went down (TLS handshake failures) while www.soccergy.com stayed up. While troubleshooting I

deleted and re-added the custom domain several times. Each re-add rotated the CNAME target (dt1arb6w… → giat374b… → dvd2eh79…)

and fired a new cert-issuance attempt, which has now tripped the Let's Encrypt rate limit. I've stopped re-adding.

Current DNS (confirmed correct and stable, host = Squarespace):

  • CNAME www → dvd2eh79.up.railway.app (matches the current target shown in the dashboard)
  • TXT _railway-verify.www → railway-verify=8643fc935b01067f4beea2eb3478cc6fdd01322d2bee473c863da40998e32547
  • Resolves to Railway edge 69.46.46.37 (same 69.46.46.x block as the working www.soccergy.com at .25)
  • Target port 8080 is correct (app logs: serve … Accepting connections at http://localhost:8080)
  • No CAA records on futinho.com or www.futinho.com — Let's Encrypt is not blocked
  • No conflicting/duplicate www records

What I need:

  1. Once the Let's Encrypt rate-limit window clears, please manually trigger certificate issuance for www.futinho.com — without

burning more attempts).

  1. Please tell me which LE rate limit was hit (failed-validation vs duplicate-certificate / per-domain) so I know the reset

window (≈1 hour vs up to 7 days).

  1. If you can reset/expedite the limit on your side, even better.

DNS is correct and stable now and I won't touch it further — it just needs one clean issuance attempt to go through.

Solved$20 Bounty

Pinned Solution

You most likely hit the 7 days LE rate limit. Unfortunately, there isn't anything that can be done on Railway's side, you would just have to wait it out.

1 Replies

Railway
BOT

22 days ago

This thread has been opened as a bounty so the community can help solve it.

Status changed to Open Railway 22 days ago


You most likely hit the 7 days LE rate limit. Unfortunately, there isn't anything that can be done on Railway's side, you would just have to wait it out.


Status changed to Solved 0x5b62656e5d 17 days ago


Welcome!

Sign in to your Railway account to join the conversation.

Loading...