21 days ago
Hi team — my wildcard custom domain is stuck on "Certificate Authority is validating
challenges" (status ISSUING) and won't finish issuing the SSL certificate.
- Project: gestaodofrete-prod
- Service: web
- Domain: *.gestaodofrete.com.br
- Custom domain ID: 147ed48a-1625-4555-9f36-1a6ca450f3fa
- Plan: Hobby
All three required DNS records are present and show green / PROPAGATED in the dashboard:
-
-
CNAME -> 9rbikuuj.up.railway.app
-
- _acme-challenge CNAME -> 9rbikuuj.authorize.railwaydns.net
- _railway-verify TXT -> railway-verify=0d6b1f05371d3d107935e2be709a2e8a12ebe048f002681c33fdf74f6eeb4680
DNS provider is Cloudflare; all three records are DNS-only (grey cloud). Verified externally:
-
Via Google & Cloudflare DoH, _acme-challenge.gestaodofrete.com.br correctly serves the
2 ACME challenge TXT tokens.
-
No CAA records on the zone (any CA may issue). DNSSEC is off.
-
HTTP routing already works (curl returns 200 over the domain) — only the cert is missing.
It's been stuck for 40+ minutes. The ACME challenge tokens are identical across multiple
domain re-creations, suggesting the same Let's Encrypt authorization is being reused
(so delete/re-add doesn't help — I've stopped doing that to avoid LE rate limits).
This looks like the same server-side issuance issue as the "SSL Failing to Issue" thread
(CERTIFICATE_ERROR_TYPE_INTERNAL). Could someone from the team please force a fresh
certificate re-issuance / manually retry for this domain? Thank you!
3 Replies
21 days ago
This thread has been opened as a bounty so the community can help solve it.
Status changed to Open Railway • 21 days ago
21 days ago
Make sure the SSL mode is set to Full (not strict) in your Cloudflare SSL settings.
0x5b62656e5d
Make sure the SSL mode is set to Full (not strict) in your Cloudflare SSL settings.
21 days ago
Thanks for the suggestion! I checked and the zone is already on SSL/TLS mode "Full" (not Strict, not Flexible) — verified just now via the Cloudflare API (/settings/ssl → value: "full"), so that's already in place.
Worth noting: the records for this wildcard are DNS-only (grey-cloud), so the Cloudflare SSL mode shouldn't even be in the path here — the wildcard cert uses a DNS-01 challenge, which is pure DNS resolution.
And the DNS side is fully green:
_acme-challenge.gestaodofrete.com.br → CNAME → 9rbikuuj.authorize.railwaydns.net (DNS-only) ✓
The Let's Encrypt ACME TXT token is published and resolving at the authorize target (confirmed via DoH) ✓
_railway-verify TXT present ✓, no CAA records on the zone, DNSSEC off ✓
HTTP routing already works (curl returns 200 over the domain) — only the cert is missing.
So everything on my end (DNS + Cloudflare) checks out, which points back to the server-side issuance failure (CERTIFICATE_ERROR_TYPE_INTERNAL). Could someone from the team please force a fresh certificate re-issuance / manual retry for this domain? I've avoided delete/re-adding to stay clear of Let's Encrypt rate limits. Thank you!
21 days ago
Update — resolved with a workaround (no longer blocked).
For anyone hitting the same CERTIFICATE_ERROR_TYPE_INTERNAL on a wildcard custom domain: I worked around the server-side issuance failure by fronting the domain with Cloudflare's proxy instead of relying on Railway to issue the cert.
What I did:
Switched the *.gestaodofrete.com.br record in Cloudflare from DNS-only (grey cloud) to Proxied (orange cloud).
Kept Cloudflare SSL/TLS mode on Full (not Strict — the origin still presents Railway's default *.up.railway.app cert, so Strict would fail on the name mismatch; not Flexible — that loops).
Left the custom domain registered in Railway so it still routes by Host header, and left the _acme-challenge / _railway-verify records untouched.
Result: Cloudflare's Universal SSL now serves a valid edge certificate for the first-level wildcard (slug.gestaodofrete.com.br), and Cloudflare reaches the Railway origin over the existing *.up.railway.app cert. All subdomains now load over HTTPS with a valid certificate — no Railway-side re-issuance needed.
This unblocks me, so I'll close this out. It would still be great if the team could look into why the wildcard ACME issuance fails internally (DNS-01 was fully green on my side: _acme-challenge resolving to the authorize target, ACME TXT published, _railway-verify present, no CAA, DNSSEC off), in case others hit it. Thanks for the help!
Status changed to Solved 0x5b62656e5d • 21 days ago