Wildcard custom domain stuck on "Certificate Authority is validating challenges" — DNS all green, no CAA
julfs
HOBBYOP

21 days ago

Hi team — my wildcard custom domain is stuck on "Certificate Authority is validating

challenges" (status ISSUING) and won't finish issuing the SSL certificate.

  • Project: gestaodofrete-prod
  • Service: web
  • Domain: *.gestaodofrete.com.br
  • Custom domain ID: 147ed48a-1625-4555-9f36-1a6ca450f3fa
  • Plan: Hobby

All three required DNS records are present and show green / PROPAGATED in the dashboard:

    •           CNAME -> 9rbikuuj.up.railway.app
  • _acme-challenge CNAME -> 9rbikuuj.authorize.railwaydns.net
  • _railway-verify TXT -> railway-verify=0d6b1f05371d3d107935e2be709a2e8a12ebe048f002681c33fdf74f6eeb4680

DNS provider is Cloudflare; all three records are DNS-only (grey cloud). Verified externally:

  • Via Google & Cloudflare DoH, _acme-challenge.gestaodofrete.com.br correctly serves the

    2 ACME challenge TXT tokens.

  • No CAA records on the zone (any CA may issue). DNSSEC is off.

  • HTTP routing already works (curl returns 200 over the domain) — only the cert is missing.

It's been stuck for 40+ minutes. The ACME challenge tokens are identical across multiple

domain re-creations, suggesting the same Let's Encrypt authorization is being reused

(so delete/re-add doesn't help — I've stopped doing that to avoid LE rate limits).

This looks like the same server-side issuance issue as the "SSL Failing to Issue" thread

(CERTIFICATE_ERROR_TYPE_INTERNAL). Could someone from the team please force a fresh

certificate re-issuance / manually retry for this domain? Thank you!

Solved$10 Bounty

3 Replies

Railway
BOT

21 days ago

This thread has been opened as a bounty so the community can help solve it.

Status changed to Open Railway 21 days ago


Make sure the SSL mode is set to Full (not strict) in your Cloudflare SSL settings.


0x5b62656e5d

Make sure the SSL mode is set to Full (not strict) in your Cloudflare SSL settings.

julfs
HOBBYOP

21 days ago

Thanks for the suggestion! I checked and the zone is already on SSL/TLS mode "Full" (not Strict, not Flexible) — verified just now via the Cloudflare API (/settings/ssl → value: "full"), so that's already in place.

Worth noting: the records for this wildcard are DNS-only (grey-cloud), so the Cloudflare SSL mode shouldn't even be in the path here — the wildcard cert uses a DNS-01 challenge, which is pure DNS resolution.

And the DNS side is fully green:

_acme-challenge.gestaodofrete.com.br → CNAME → 9rbikuuj.authorize.railwaydns.net (DNS-only) ✓

The Let's Encrypt ACME TXT token is published and resolving at the authorize target (confirmed via DoH) ✓

_railway-verify TXT present ✓, no CAA records on the zone, DNSSEC off ✓

HTTP routing already works (curl returns 200 over the domain) — only the cert is missing.

So everything on my end (DNS + Cloudflare) checks out, which points back to the server-side issuance failure (CERTIFICATE_ERROR_TYPE_INTERNAL). Could someone from the team please force a fresh certificate re-issuance / manual retry for this domain? I've avoided delete/re-adding to stay clear of Let's Encrypt rate limits. Thank you!


julfs
HOBBYOP

21 days ago

Update — resolved with a workaround (no longer blocked).

For anyone hitting the same CERTIFICATE_ERROR_TYPE_INTERNAL on a wildcard custom domain: I worked around the server-side issuance failure by fronting the domain with Cloudflare's proxy instead of relying on Railway to issue the cert.

What I did:

Switched the *.gestaodofrete.com.br record in Cloudflare from DNS-only (grey cloud) to Proxied (orange cloud).

Kept Cloudflare SSL/TLS mode on Full (not Strict — the origin still presents Railway's default *.up.railway.app cert, so Strict would fail on the name mismatch; not Flexible — that loops).

Left the custom domain registered in Railway so it still routes by Host header, and left the _acme-challenge / _railway-verify records untouched.

Result: Cloudflare's Universal SSL now serves a valid edge certificate for the first-level wildcard (slug.gestaodofrete.com.br), and Cloudflare reaches the Railway origin over the existing *.up.railway.app cert. All subdomains now load over HTTPS with a valid certificate — no Railway-side re-issuance needed.

This unblocks me, so I'll close this out. It would still be great if the team could look into why the wildcard ACME issuance fails internally (DNS-01 was fully green on my side: _acme-challenge resolving to the authorize target, ACME TXT published, _railway-verify present, no CAA, DNSSEC off), in case others hit it. Thanks for the help!


Status changed to Solved 0x5b62656e5d 21 days ago


Welcome!

Sign in to your Railway account to join the conversation.

Loading...