Real quick before I dive into more details. Are you using Full or Full (Strict)?

Full (Strict) will cause the initial handshake to fail and you'll receive a 525 error in that case.

We are using Full

Also while testing with Flexible or Off(not secure), I get ERR_TOO_MANY_REDIRECTS

Full is correct.

Can you give me a screenshot of your DNS Management?

You can find this section under Your domain -> DNS -> Records

Yeah sure

Can we redeploy the service? Everything here looks correct to me.

Yeah that's okay. You want me to do that or you'll do it on your side?

Also, should it be saying "Cloudflare proxy detected" on my networking tab?

On redeployment, it still has the 525 response

Hello!

We're acknowledging your issue and attaching a ticket to this thread.

We don't have an ETA for it, but, our engineering team will take a look and you will be updated as we update the ticket.

Please reply to this thread if you have any questions!

OK! I found the issue. The acme challenge failed, unfortunately due to a Cloudflare issue (more info here: https://community.cloudflare.com/t/stale-dns-records-being-served-by-cloudflare/619916)

This is due to a stale txt record on Cloudflare's side. Here's what you can do:

1. Remove the wildcard domain from Cloudflare.
2. Remove the corresponding DNS from Cloudflare.
3. Turn off Universal SSL.
4. Wait 10 or so minutes.
5. Turn Universal SSL back on.
6. Add the domain back to Railway and finish the corresponding setup.

Sorry this is such a pain :(

Alright, trying this. Will revert.

Unfortunately this didn't resolve the issue. I'll try again in case I missed something

Sounds good let us know!

I've tried again twice including removing my domain from cloudflare and setting it up again but no success. Status on Railway still says "Cloudflare proxy detected". I've tried disabling universal ssl and waiting at least 10 mins before enabling again but It didn't work either. I still get a 525 response when visiting the site.

Any info on why this is happening? I'm still unable to solve this issue

Hey Colin, we've escalated this thread for our engineers to help out. Sorry you're still facing this issue after trying to reissue the certificate.

Hey, no worries. I appreciate the help. Thanks

Hey Collin,

I think you might need to ask Cloudflare to flush the stale TXT record, we're still seeing acme challenge failures on our end.

Here's some relevant logs you can share with Cloudflare

```
{

"message": "couldn't get certificate: solving challenge: .shule.io: [.shule.io] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Incorrect TXT record \"OQg0vrTb6V9aVEDPAGWc8tB9-X6GjwmMdftnApf4-KQ\" (and 1 more) found at _acme-challenge.shule.io",

"source": "GoSDK",

"cause": {

"message": "couldn't get certificate: solving challenge: .shule.io: [.shule.io] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - Incorrect TXT record \"OQg0vrTb6V9aVEDPAGWc8tB9-X6GjwmMdftnApf4-KQ\" (and 1 more) found at _acme-challenge.shule.io",

"source": "GoSDK",
```

Alright, let me reach out to Cloudflare support

Thanks Collin, just let us know whenever they're able to flush the txt record!

Hey there Collin,

Did you contact support on their side? With that said, I am going to mark this as solved and you can re-open it if you get more data. All systems on our side are showing that we're waiting for the record to flush.

- Angelo

Hi Angelo,
We are still trying to reach out to cloudflare support. Please let me get back to you today.

I escalated the issue on cloudflare community because we don't have access to cloudflare business so I'm awaiting response from their support team. Please give us some time to confirm resolution. I have also found multiple similar issues on cloudflare support.

Hey guys,

Please advise on the following. Here are some resolutions suggested on cloudflare community:

The link to the issue is: https://community.cloudflare.com/t/stale-txt-records/802332/2

Some options that I see, that could ease the burden:

1. Ask Railway to supply the content they require, for the TXT record, and add and/or update it regularly, when they need to issue a new certificate.

2. Ask Railway to change their certificate validation to HTTP, instead of DNS.

3. If you can upload your own certificate to Railway, you can use a Cloudflare origin CA · Cloudflare SSL/TLS docs.
   These won’t work together with Unproxied / DNS-only records

I think what would probably be easiest for me is to get the correct TXT from you and add it to my cloudflare DNS. Let me know what you think.

✅ The internal ticket Wildcard Certificate receiving SSL Handshake Error 525 has been marked as completed.

Hey, the issue is currently not resolved. Are you able to give me feedback regarding the last recommendation?