same happened with me the fix is, put your domain complete starting from www in custom domain and the id that railways provides give that in cname with @ and value that railway provided id
also add your ip address to A in namecheap

and then it will work

Hey @jaumefabrega, I ran into something similar before, so here are a few things you could check:

1. **CNAME Setup for www** – Just to double-check: in Namecheap, your www record should be a **CNAME pointing to your Railway subdomain** (like your-app.up.railway.app. — don’t forget the dot at the end if Namecheap requires it).

2. **Propagation Confirmation** – Try a tool like https://dnschecker.org to verify that www.yourdomain.com is resolving properly worldwide before Railway can generate a cert.

3. **No Duplicate A or AAAA Records** – Make sure there are **no A or AAAA records** for www. Railway uses CNAME-based verification, and having those can mess with the cert issuance.

4. **Force HTTP to HTTPS redirect temporarily OFF** – If enabled, turn off HTTPS redirection in Railway settings for now until the cert is fully issued. Sometimes it causes premature redirection errors before the cert is ready.

5. **Try setting www as a separate domain in Railway** – In the Railway domain settings, instead of relying only on a wildcard, try adding www.yourdomain.com explicitly if you haven't yet.

Let me know if any of that works — happy to troubleshoot with you!

Your subdomain DNS is fine, but TLS certificate never finishes issuing on Railway.

You see “net::ERR_CERT_COMMON_NAME_INVALID” on www version.

DNSSEC is OFF (which is correct).

You have correct CNAME for www set to Railway's value.

Railway needs to prove domain control to get a TLS certificate for each domain (root and www).

Sometimes, especially with www, something interferes:

DNS propagation isn't complete (doesn’t seem like your case, you waited long enough and tried various devices).

You have another CNAME or conflicting record for www (sometimes from a previous setup).

DNS is cached somewhere (unlikely if you’ve waited >15 hours and cleared cache).

Some providers (including Namecheap) force an “URL Redirect” on www records, or have default A records, which can break CNAME behavior.

Try to:

1. Check your current DNS records for www

Go to https://dnschecker.org/ and enter www.example.com.

Check if it points to the CNAME that Railway told you (often something like cname.example.railway.app).

If you see an A record, that’s a problem - you need only a CNAME for www.

If you see a CNAME, what is the value? It must be exactly what Railway gave you.

If you see a mix (A + CNAME), remove all but the CNAME for www.

2. Double-check for conflicting records

In Namecheap, go to Advanced DNS.

Remove any A, URL Redirect, or ALIAS records for www.

There should only be one CNAME for www pointing to Railway's value.

If you see an “@” A record for root, that’s OK - just make sure www is CNAME-only.

3. DNS Propagation Check

Again, use dnschecker.org and check multiple locations for www.example.com.

If every result shows the correct CNAME, you’re good.

If not, you might have to wait another 30–60 mins, but usually, it should show everywhere within a few hours.

4. Railway Domain Settings

In Railway, remove the www domain and re-add it only after you’ve confirmed DNS is 100% correct.

Wait for the status to move past "Pending" to "Setup complete".

This can take up to an hour, but usually is quick if DNS is good.

Do not try to visit the site with HTTPS until it says “Setup complete”.

Doing so can actually "lock in" a bad status in your browser (due to HSTS or caching).

---

If not helped: Check Railway dashboard logs/errors — sometimes they have a tiny “details” link that gives more info.

If you see any error about domain control validation, double-check the CNAME record on dnschecker.org.

If it’s correct and has been for 2+ hours, contact Railway support - sometimes their cert system gets stuck and needs a manual nudge.

If you go through these steps and it’s still not working, it’s almost certainly a Railway-side issue, not DNS.

Railway support is usually responsive for stuck SSL issuance.

Something you could do temporarily is setup a redirect to the working SSL domain: https://www.namecheap.com/support/knowledgebase/article.aspx/385/2237/how-to-set-up-a-url-redirect-for-a-domain

Alternatively you could try setting up Cloudflare on your domain. Make sure you turn the SSL setting from flexible to Full in the CF dashboard.

Sorry for the delay in answering. None of the suggested solutions worked.

Here's how I fixed it:

1. In Railway, delete the www.example.com custom domain.

2. In Namecheap, delete the www CNAME record.

3. Wait for the changes (the deletion of the record) to propagate <-- THIS IS THE KEY STEP

4. Once the changes have propagated and there is no existing www CNAME record, re-create the www.example.com custom domain in Railway.

5. Railway will indicate something like "record does not exist yet". As you'd do normally, take the value provided by Railway and create the www CNAME record in Namecheap.

6. Railway correctly finishes the setup and everything works.

So I guess the issue was that Railway gets confused if upon creation of a new domain it sees the record in the DNS already exists but has the wrong value. When you then update the value in Namecheap, Railway correctly detects the change, but for some reason it gets stuck on the "issuing TLS" step. Maybe worth it for the Railway team to look into it.

Thank you all for your answers anyway