How can I stop needing to verify my Merchant Domain manually every month?

Question

Created Oct ’20

Replies 25

Boosts 4

Views 10k

Participants 18

Our client's site uses Apple Pay, and once a month we get a series of email notifying us that the domain verification is about to expire:

Code Block Your website domain that uses Apple Pay has an SSL Certificate that expires on Oct 11, 2020. We were unable to automatically to reverify your domain. To ensure uninterrupted use of Apple Pay on your website, revalidate your domain by Oct 11, 2020 in Certificates, Identifiers & Profiles.

The site uses Let's Encrypt to automatically renew its SSL cert monthly.

Every time that happens, we need to log into the Apple Developer tools, navigate to Certificates, Identifiers, and Profiles -> Identifiers -> Merchant IDs -> ID -> Merchant Domains, then download the file and drop it onto the server with SFTP. It's a pain.

Is there a way to automate this process (or better yet, stop it from happening)? I can't imagine monthly-renewing SSL certificates is a particularly uncommon thing.

Boost

Answer 1

ian-fenderton OP

Nov ’20

Sorry I don't have any suggestions, but I'd love to see Apple implement a better procedure for this as well. +1

0

Answer 2

hipfox OP

Nov ’20

I have the same problem.

According to the manual https://developer.apple.com/documentation/apple_pay_on_the_web/maintaining_your_environment

Make sure that the specified URL you originally used when validating
the merchant domain is accessible to Apple servers listed in Allow Apple IP Addresses for Domain Verification. The URL may be similar to
Code Block https://yourdomain.com/.well-known/apple-developer-merchantid-domain-association.

I am sure that Apple’s IP is not blocked, and Let's Encrypt SSL has automatically renew before expiring. But in access logs cannot be found these URL

Code Block  https://mydomain.com/.well-known/apple-developer-merchantid-domain-association or https://mydomain.com/.well -known/apple-developer-merchantid-domain-association.txt

What is wrong with Apple's automatic verification?

0

Answer 3

jjm340123123 OP

Jan ’21

I have this same problem and my certificate isn't about to expire, this looks more to be a bug in Apple's process than anything.

0

Answer 4

Voyta OP

Feb ’21

We have exactly the same isssue at our company. The initial verification passes, we keep the verification files on the server and still the automatic reverification fails. I even set up some logging, and I see some accesses from the IPs listed in Apples docs but they're just visits to the homepage, not the verification file. Usually there's two of them in short succession. We return HTTP 200 to both. Verification still fails :-/

0

Answer 5

YouPlant OP

Apr ’21

we've got the same issue here - initial verification process passes without any issues but the reverification just never happens. SSL Certs have been renewed but apple just never gets aware of that.

0

Answer 6

dsicknl OP

May ’21

Have to same issue for past 8 months. Our files are merchant domain association text files are publicly accessible. We use Let's Encrypt certs that are definitely renewed at least 10 day before expiration. Generally they are renewed 30 day before. It's really frustrating to have to manually update the certs every 2 months for all our environments.

Anyone solve this for Let's Encrypt?

0

Answer 7

samidaik OP

May ’21

Hi All, we are facing the same scenario here. In the end did any of you had to reupload the .txt files or take any other action. ? Domain shows as verified and our SSL certs for the server have been renewed. Or was it an issue on Apple's side?

0

Answer 8

Isakd OP

Aug ’21

I have the same problem... did you find a solution to this? The verification is active for 2 months for me, then I have to download a new domain verification key and upload to my host. A pain in the *** when you manage several domains and merchant ids...

0

Answer 9

nickshaw_15marketing OP

Nov ’21

Can someone from Apple respond to this? This is a bit of a deal breaker for implementing Apple Pay on our sites. We have around 300 of them and if we have to manually upload and verify for every domain AND revalidate once our SSL certs are renewed then it's not really a viable payment solution.

0

Answer 10

wine OP

Dec ’21

Any updates on this issue? Looking to automate the process, but I would need an API from Apple to query in order to pull down the domain validation string.

1

Answer 11

pmkmobility OP

Jun ’22

We are also having this issue on multiple domains. The domains will validate at first with no issue then consistently fail to automatically revalidate even when the SSL certs are properly renewed and the domain validation file still shows.

There is also no visibility into why the domains are failing validation from the developer console and no API to automate monitoring.

0

Answer 12

AppleDevx OP

Aug ’22

Dear Apple, could you please answer? It seems that automatic verification does not work at all. Just manual. It is big problem when using short lived certs such as Lets Encrypt. But also problem for long lived certs if you have many many domains. I already reported this bug via Feedback Assistant but this tool is terrible. In the past we have reported many other issues with no answers after months/years. So no hope Apple to do something with it. Apple Feedback Assistant is private so nobody sees how apple ignores developers reports. Google bug tracker is public and before adding new bug/ticket you can search if it is already reported and employees from Google response there. This apple developer forum is the worst support all over the world such as their Feedback Assistant. No answers from Apple just developer complaints. For anyone please fill in bug here https://feedbackassistant.apple.com/ Maybe it will help when many identical issues will be reported by more developers.

1

Answer 13

AppleDevx OP

Aug ’22

Im sure that this is apple bug because of they do not do what is stated here:

https://developer.apple.com/documentation/apple_pay_on_the_web/maintaining_your_environment

Renew Your Domain Verification

Domain verification expires on the same date that your domain’s SSL certificate expires. Apple servers check if SSL certificates have been renewed at 30, 15, and 7 days before expiration.

If you update the SSL certificate before it expires, Apple detects the renewed certificate and the domain remains verified. No further action is required on your part.
If the SSL certificate expires and is not replaced before expiring, you must redo domain verification in your Apple Developer Account. See Verify a Merchant Domain for additional information.

Im wondered that Apple have global bug affecting each merchant and does not solve it for more than 1 year and also does not answer at all. We and many others are receiving from Apple tons of incorrect email notifications which mention incorrect (old) certificate expiration however it was renewed.

2

Answer 14

AppleDevx OP

Aug ’22

@meaton could you check this thread please?

1

Answer 15

Kate_La OP

Aug ’22

We are having the same issue and this is a huge pain that requires attention and manual work to verify domains every 2 months. I saw a few topics exactly like this one, I wonder if Apple has on the road map to fix the issue.

1

Answer 16

sistemasudon OP

Aug ’22

Same problem here, and I confirm the URL (ie https://yourdomain.com/.well-known/apple-developer-merchantid-domain-association) works and the SSL is always renewed 2 months before its expiration.

1

Answer 17

AppleDevx OP

Nov ’22

I have sent mail via https://developer.apple.com/contact/#!/topic/SC1109/subtopic/30064/solution/CONTACT.EML.GEN/details why bug reported via Feedback Assistant is not solved for many months (status is OPEN with no answer from Apple employees). But answer to email is terrible and useless - copied texts from https://developer.apple.com/bug-reporting/#after-submission Response was from eurodev(at)apple.com So Feedback Assistant is ignored, Apple Developer Forum too, mail support too. What Apple developer should do when there is a real bug? Apple has worst developer support ever. Each developer must pay 99 USD/yearly but bug reports are ignored. Google developers program is for free and each bug report is transparently solved at Google Issue Tracker: https://issuetracker.google.com

0

Answer 18

Sedkooo OP

Mar ’23

Hi,

do you have any news? We have the same issue.

Thank you

0

Answer 19

AppleDevx OP

Mar ’23

After tens of messages with apple support and many irrelevant answers and many excuses I finally got this answer...

&gt; Our engineering teams have found that the validation job is seeing closed connections while trying to fetch the SSL certs.
&gt; 
&gt; To provide more context, when the validation job tries reaching the client host at the verification file URL path and encounters an HTTP 200 response, it will re-use the open connection and acquire the SSL cert information (to check for expiration as well as to ensure no changes to the Subject and Issuer in the SSL cert chain have been made from the previous domain registration). This is where the issue for automated validation is occurring for your domains.
&gt; 
&gt; They recommend for you to further review the timeout settings and adjust if needed.
&gt; 
&gt; We appreciate the feedback you have provided to the verification process. Our teams are exploring ways to enhance and improve the domain validation process.

Interesting is that any browser including Safari can access SSL cert info, also https://www.ssllabs.com/ssltest have no problem to validate cert, just nobody has problem except Apple. Also interesting is when I click "Verify manually" Apple succeed verification? Just then there is no connection close problem? But when Apple should do it automatically suddenly there is a some problem with closing connections? Im really loosing any hope that Apple will sometime fix this annoying bug.

0

Answer 20

sistemasudon OP

Mar ’23

I have the same problem about automatic renovations, but in my case the answer has been that the URL for the main page of the domain is redirected, which shouldn't be. Doesn't matter if the specific URL for the file ../apple-developer-merchantid-domain-association.txt isn't redirected, if the main page / is then it fails. I've given up. At least now the manual renovation it's every 9 months instead of just 3.

0

Answer 21

Sedkooo OP

Apr ’23

Hello,

We are using Let’s Encrypt certificates and everything is set up correctly. I can see in our logs, that apple servers visited our domains, but validation failed. I have contacted apple support and bellow is their answer. So it looks like they need to fix it and we have to wait and hope:)

For the automated validation, we have checked with our engineers the automated validation process is failing due to the developer’s SSL certificate chain, this is common for short-term certs issued by providers such as theirs, Let’s Encrypt. Specifically, the your SSL cert chain does not contain the values in the subject of the cert chain for which our automated job checks. Due to the lack of values, our automated process is expected to fail.

We are working on for some enhance but in the mean time, we would ask you to make sure that you renew your certifciates manually.

1

Answer 22

AppleDevx OP

Apr ’23

Exactly. In my bug report via black hole Apple Feedback Assistant I exchanged in about 20 messages with Apple support. They wrote just excuses etc. Later wrote that they have some problem with Lets Encrypt cert. Strange because of certs are world-wide accepted, most popular certs, every browser accept it including Safari but Apple engineers have problem with validating our websites with Lets Encrypt certs. Thanks for all. We annoyed them for so long that they admitted that the problem is on their side and they are preparing an improvement. Question is how many years it will take.

0

Answer 23

ewrjontan OP

Feb ’24

Having similar issues. Received a notification that the SSL certificate is expiring. Under the Certificates, identifiers and profiles page, it seems that the only cert that is expiring on the provided date is our Merchant domain cert/txt file. Clicking the verify button, downloading and uploading the new .txt file and clicking the second verify button all seems to be working but there really isn't any successful response or message. Clicking verify redirects back to The Certificates, identifiers and profiles page and the expiration date fails to update.

I am pretty sure the verification is working because there were a few times were we were not redirected to the Certificates, identifiers and profiles page and instead were met with the "domain verification failed" pop up; this was due to apple seeing our cached .txt file. However, once we fixed that, we were re-directed back to the main page but again, the expiration date has failed to update.

Am I missing something? It mentions updating the SSL but is the .txt file the SSL? Or is there some other cert that needs to be updated that isn't displayed on the Certificates, identifiers and profiles page? All I have access to through apple is the Payment processing certificate, Merchant identity Certificate and the merchant domains (.txt files). I can't believe there has been no resolution to this issue. I have seen similar threads dating back several years.

1

Answer 24

SamuelCai-ChanceTop OP

May ’24

Same here, Apple still hasn't fix their bug about auto renewal check.

Very annoying, have to manually upload file and verify again.

We're using Cloudflare to auto renew certificate (90 days validity period), and the certificate we are using is Google Trust Services.

0

Answer 25

SamuelCai-ChanceTop OP

May ’24

Having same issue.

0