Wildcard custom domain *.brimwise.com failing to issue TLS certificate — internal error
amackley
PROOP

14 days ago

I am adding *.brimwise.com as a custom domain on my Railway web service (project: brimwise, environment: production). My DNS is managed through Cloudflare. The apex domain brimwise.com is already working correctly as a Railway custom domain with a valid certificate.

DNS records in Cloudflare (all confirmed propagated):

Type: CNAME | Name: * | Value: qtuanul9.up.railway.app | Proxy: DNS only

Type: CNAME | Name: _acme-challenge | Value: qtuanul9.authorize.railwaydns.net | Proxy: DNS only

Type: TXT | Name: _railway-verify | Value: railway-verify=239fdc6e585fb084014502a470993b24c0ec36f87e388853f1cd880013a362c4 | Proxy: N/A

DNS resolution is confirmed working — demo.brimwise.com resolves to qtuanul9.up.railway.app and HTTP requests return a 301 redirect to HTTPS, confirming Railway is receiving traffic. The only failure is SSL certificate issuance.

What I have tried

  1. Added all three DNS records Railway requested (CNAME for *, CNAME for _acme-challenge, TXT for _railway-verify)
  2. Waited 20+ minutes for DNS propagation before attempting certificate issuance
  3. Retried certificate issuance twice via the Railway dashboard
  4. Each attempt progresses to "Certificate Authority is validating challenges" then fails with: "Failed to issue TLS certificate. An internal error occurred. Please retry."

Expected behavior: Railway issues a wildcard Let's Encrypt certificate for *.brimwise.com via the _acme-challenge CNAME delegation.

Actual behavior: Certificate issuance fails with an internal error on every attempt.

$20 Bounty

3 Replies

Railway
BOT

14 days ago

This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.

Status changed to Open Railway 14 days ago

0x5b62656e5d
MODERATOR

14 days ago

Make sure the SSL is set to Full (not strict) in your Cloudflare settings. Also, it may take a few hours (maybe even a day, but rarely), for Railway to validate the DNS and issue the certificates.

amackley
PROOP

14 days ago

Thank you. I verified: Current encryption mode:

Full

richwardle
PRO

13 days ago

wildcards go through Let's Encrypt's DNS-01 challenge against _acme-challenge.brimwise.com — your CNAME pointing to qtuanul9.authorize.railwaydns.net is set up correctly for that.

two things that block wildcard issuance specifically and are easy to miss:

  1. CAA records on the apex. run dig CAA brimwise.com. if any record exists that isn't letsencrypt.org — e.g. an issuewild "comodoca.com" left over from a previous cert purchase — Let's Encrypt silently refuses to issue with no clear error in Railway's UI. fix is either no CAA or 0 issuewild "letsencrypt.org" + 0 issue "letsencrypt.org".

  2. verify the DNS-01 chain actually resolves end-to-end from your authoritative NS, not just your local resolver:

dig CNAME _acme-challenge.brimwise.com @<your-cloudflare-ns>
dig TXT _acme-challenge.qtuanul9.authorize.railwaydns.net

both need to return values for Let's Encrypt's lookup to succeed. if either is empty, the validation never completes regardless of how long you wait.

one more: Let's Encrypt rate-limits wildcards separately at 5 duplicate cert issuances per week per FQDN. if Railway has retried issuance for *.brimwise.com several times while you've been debugging, you may have burned the budget and will need to wait until the window resets.

Welcome!

Sign in to your Railway account to join the conversation.

Login
Loading...