TLS Certificate Issuance Stuck - Cloudflare
tlb-ch
PROOP

2 months ago

Hello,

Have an issue with our website subdomain TLS Certificate Issuance, have gone through the usual routes to trouble shoot. This has been working perfectly for the past 3 months and seems to only have just popped up.

CNAME for wildcare and acme challenge are both proxied off (orange cloud)

I've tried removing and readding everything, just gets stuck issuing certificate.

SSL/TLS encryption is set to Full.

Any support or help would be welcome

$10 Bounty

6 Replies

brody
EMPLOYEE

2 months ago

This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.

Status changed to Open brody about 2 months ago

ilyassbreth
FREE

2 months ago

check this:

  1. the _acme-challenge cname must be gray cloud (dns only) - not proxied. this is critical for railway's verification to work

  2. your wildcard * cname - can be proxied (orange) or not, your choice

  3. cloudflare ssl/tls settings (go to ssl/tls → overview):

    • encryption mode: "full" (not full strict)

    • universal ssl: enabled

if those are already correct and it's still stuck then remove both cnames from cloudflare dns , after that remove the domain from railway , and wait a few minutes then re-add everything fresh

also worth checking if you have any old txt records left over from previous attempts, those can interfere with validation

hope this help you slightly_smiling_face emoji

tlb-ch
PROOP

2 months ago

Hi thanks for reaching out.

  • Yes have gone through all of these - still no luck unfortunately.

ilyassbreth
FREE

2 months ago

how long stuck?

tlb-ch
PROOP

2 months ago

3 days ago I think TLS certificate failed to issue. Before this we've been wildcarding for tenant subdomains without any issue. No change of configuration.

For info - I reached out to Cloudflare, though it might have been a TXT record stuck - and they gave me this response

When Universal SSL is active, Cloudflare automatically performs domain control validation (DCV) with its Certificate Authorities. As part of this process, Cloudflare serves ACME validation TXT records at the authoritative DNS level. These records do not appear in the DNS dashboard, API responses and cannot be manually edited or purged.

Please note that when Universal SSL is enabled, Cloudflare will always serve its own ACME validation records for _acme-challenge. As a result, it is not supported to use a third-party ACME provider (such as Let’s Encrypt via Railway) for the same hostname at the same time, as this will cause validation conflicts.

To resolve this, you will need to choose one of the following options:

  • Continue using Cloudflare Universal SSL and avoid third-party ACME validation on this hostname

  • Disable Universal SSL for the zone and then use your third-party ACME provider

  • Perform third-party ACME validation on a different hostname that is not covered by Universal SSLWhen Universal SSL is active, Cloudflare automatically performs domain control validation (DCV) with its Certificate Authorities. As part of this process, Cloudflare serves ACME validation TXT records at the authoritative DNS level. These records do not appear in the DNS dashboard, API responses and cannot be manually edited or purged.

    Please note that when Universal SSL is enabled, Cloudflare will always serve its own ACME validation records for _acme-challenge. As a result, it is not supported to use a third-party ACME provider (such as Let’s Encrypt via Railway) for the same hostname at the same time, as this will cause validation conflicts.

    To resolve this, you will need to choose one of the following options:

    • Continue using Cloudflare Universal SSL and avoid third-party ACME validation on this hostname

    • Disable Universal SSL for the zone and then use your third-party ACME provider

    • Perform third-party ACME validation on a different hostname that is not covered by Universal SSL

ilyassbreth
FREE

2 months ago

so her cloudflare support just told you the exact problem: cloudflare's universal ssl is conflicting with railway's let's encrypt validation

when universal ssl is on, cloudflare automatically serves its own _acme-challenge records at dns level that you can't see or control. this blocks railway from doing its validation

the fix:

  1. go to cloudflare → ssl/tls → edge certificates

  2. scroll down and disable universal ssl

  3. wait 2-3 minutes for it to fully disable

  4. then remove and re-add your domain in railway

  5. railway should now be able to validate and issue the cert

once railway issues the cert, you can re-enable universal ssl if you want, but during the initial validation it needs to be off

this explains why it suddenly broke after working fine, something triggered cloudflare to start serving its own acme records which blocked railway

try that and let me know if the certificate finally issues

chris-opendata
HOBBY

2 months ago

It sounds that the initial issue was caused by Let’s Encrypt 90 days expiry cycle. The solution means you need to redo it every 90 days. Am I right?

Loading...