I'm experiencing issues with wildcard SSL certificate provisioning for my domain *.mydomain.com on my Django service.

Current Status:

Wildcard domain *.mydomain.com is stuck on "Issuing TLS certificate"
Apex domain mydomain.com shows "Setup complete" and works correctly

Railway default domain myapp-django-production.[up.railway.app](up.railway.app) works fine

What I've Done:

Flushed Cloudflare DNS Cache:
Used Cloudflare's purge cache tool at https://one.one.one.one/purge-cache/
Flushed TXT records for _acme-challenge.mydomain.com
Flushed TXT records for _acme-challenge.*.mydomain.com

Current Cloudflare DNS Configuration (all DNS only, no proxy):
CNAME _acme-challenge → [railway-generated].authorize.railwaydns.net (DNS only)
CNAME * → [railway-generated].up.railway.app (DNS only)
CNAME mydomain.com → [railway-generated].up.railway.app (DNS only)

Removed and Re-added Domains:
Deleted *.mydomain.com from Railway
Re-added *.mydomain.com
Copied exact DNS values from Railway's instructions to Cloudflare

All records are set to "DNS only" (grey cloud), NOT proxied
Cloudflare SSL/TLS Settings:
SSL/TLS encryption mode: Full (not Full Strict)
Universal SSL: Active
Railway Status:

Status changed from "Cloudflare proxy detected" to "Issuing TLS certificate"
Has been stuck on "Issuing TLS certificate"

What am I doing wrong here?