Custom domain www.cashdoorkey.com has been stuck in post-DNS-verified, pre-ACME-fired state for 12+ hours despite 6 delete/re-add cycles with fresh CNAME targets. Apex cashdoorkey.com issued its LE cert fine earlier today via a different path (CF Single Redirect + A 192.0.2.1 proxied). Only www is stuck.

Project: 6a7b6fa8-d796-417d-be4a-dd2cb2b29127

Service: 2848c6ec-211b-4765-83cc-6caccdd8618b (property-platform-app)

Environment: e438be19-d7f5-496c-9da0-619b3cf7619b

Custom domain: www.cashdoorkey.com

Current Railway target: x0j1ken1.up.railway.app (rotated multiple times)

GraphQL domains query shows:

- dnsRecords.status = DNS_RECORD_STATUS_PROPAGATED

- dnsRecords.currentValue = x0j1ken1.up.railway.app (matches required)

- certificates = [] (empty)

openssl to www serves *.up.railway.app wildcard cert (CN=*.up.railway.app, Issuer: Certainly). Edge returns x-railway-fallback: true header — your edge sees the traffic but never bound www to our service.

What I've verified:

- CAA records on cashdoorkey.com: none (LE allowed)

- DNSSEC: disabled

- _acme-challenge.www.cashdoorkey.com TXT returns NXDOMAIN at CF authoritative NS (no phantom)

- CF Universal SSL: toggled OFF then ON to clear phantom TXTs; verified clean

- CF SSL mode: Full

- CF proxy: gray cloud (DNS-only) on www CNAME

- crt.sh: 0 certs ever issued for www.cashdoorkey.com — LE has never received an order for this FQDN, so I am not rate-limited

- Apex cashdoorkey.com issued its LE cert today through a different mechanism

This matches the fingerprint of staff-resolved tickets from 2025 (stuck-at-issuing-tls-certificate-for-day-9015e5d8 and ssl-certificate-is-suddenly-issuing-tls-e0117f3a) where only staff intervention cleared it.

Request: please reset internal ACME state for www.cashdoorkey.com on Railway's side, and confirm no stale lock from the 6 re-adds is blocking issuance.

Thanks,

Trey