How can I stop needing to verify my Merchant Domain manually every month?

Our client's site uses Apple Pay, and once a month we get a series of email notifying us that the domain verification is about to expire:

Code Block
Your website domain that uses Apple Pay has an SSL Certificate that expires on Oct 11, 2020. We were unable to automatically to reverify your domain. To ensure uninterrupted use of Apple Pay on your website, revalidate your domain by Oct 11, 2020 in Certificates, Identifiers & Profiles.


The site uses Let's Encrypt to automatically renew its SSL cert monthly.

Every time that happens, we need to log into the Apple Developer tools, navigate to Certificates, Identifiers, and Profiles -> Identifiers -> Merchant IDs -> ID -> Merchant Domains, then download the file and drop it onto the server with SFTP. It's a pain.

Is there a way to automate this process (or better yet, stop it from happening)? I can't imagine monthly-renewing SSL certificates is a particularly uncommon thing.

Same problem here, and I confirm the URL (ie https://yourdomain.com/.well-known/apple-developer-merchantid-domain-association) works and the SSL is always renewed 2 months before its expiration.

I have sent mail via https://developer.apple.com/contact/#!/topic/SC1109/subtopic/30064/solution/CONTACT.EML.GEN/details why bug reported via Feedback Assistant is not solved for many months (status is OPEN with no answer from Apple employees). But answer to email is terrible and useless - copied texts from https://developer.apple.com/bug-reporting/#after-submission Response was from eurodev(at)apple.com So Feedback Assistant is ignored, Apple Developer Forum too, mail support too. What Apple developer should do when there is a real bug? Apple has worst developer support ever. Each developer must pay 99 USD/yearly but bug reports are ignored. Google developers program is for free and each bug report is transparently solved at Google Issue Tracker: https://issuetracker.google.com

Hi,

do you have any news? We have the same issue.

Thank you

After tens of messages with apple support and many irrelevant answers and many excuses I finally got this answer...

> Our engineering teams have found that the validation job is seeing closed connections while trying to fetch the SSL certs.
> 
> To provide more context, when the validation job tries reaching the client host at the verification file URL path and encounters an HTTP 200 response, it will re-use the open connection and acquire the SSL cert information (to check for expiration as well as to ensure no changes to the Subject and Issuer in the SSL cert chain have been made from the previous domain registration). This is where the issue for automated validation is occurring for your domains.
> 
> They recommend for you to further review the timeout settings and adjust if needed.
> 
> We appreciate the feedback you have provided to the verification process. Our teams are exploring ways to enhance and improve the domain validation process.

Interesting is that any browser including Safari can access SSL cert info, also https://www.ssllabs.com/ssltest have no problem to validate cert, just nobody has problem except Apple. Also interesting is when I click "Verify manually" Apple succeed verification? Just then there is no connection close problem? But when Apple should do it automatically suddenly there is a some problem with closing connections? Im really loosing any hope that Apple will sometime fix this annoying bug.

I have the same problem about automatic renovations, but in my case the answer has been that the URL for the main page of the domain is redirected, which shouldn't be. Doesn't matter if the specific URL for the file ../apple-developer-merchantid-domain-association.txt isn't redirected, if the main page / is then it fails. I've given up. At least now the manual renovation it's every 9 months instead of just 3.

Hello,

We are using Let’s Encrypt certificates and everything is set up correctly. I can see in our logs, that apple servers visited our domains, but validation failed. I have contacted apple support and bellow is their answer. So it looks like they need to fix it and we have to wait and hope:)

For the automated validation, we have checked with our engineers the automated validation process is failing due to the developer’s SSL certificate chain, this is common for short-term certs issued by providers such as theirs, Let’s Encrypt. Specifically, the your SSL cert chain does not contain the values in the subject of the cert chain for which our automated job checks. Due to the lack of values, our automated process is expected to fail.

We are working on for some enhance but in the mean time, we would ask you to make sure that you renew your certifciates manually.

Exactly. In my bug report via black hole Apple Feedback Assistant I exchanged in about 20 messages with Apple support. They wrote just excuses etc. Later wrote that they have some problem with Lets Encrypt cert. Strange because of certs are world-wide accepted, most popular certs, every browser accept it including Safari but Apple engineers have problem with validating our websites with Lets Encrypt certs. Thanks for all. We annoyed them for so long that they admitted that the problem is on their side and they are preparing an improvement. Question is how many years it will take.

Having similar issues. Received a notification that the SSL certificate is expiring. Under the Certificates, identifiers and profiles page, it seems that the only cert that is expiring on the provided date is our Merchant domain cert/txt file. Clicking the verify button, downloading and uploading the new .txt file and clicking the second verify button all seems to be working but there really isn't any successful response or message. Clicking verify redirects back to The Certificates, identifiers and profiles page and the expiration date fails to update.

I am pretty sure the verification is working because there were a few times were we were not redirected to the Certificates, identifiers and profiles page and instead were met with the "domain verification failed" pop up; this was due to apple seeing our cached .txt file. However, once we fixed that, we were re-directed back to the main page but again, the expiration date has failed to update.

Am I missing something? It mentions updating the SSL but is the .txt file the SSL? Or is there some other cert that needs to be updated that isn't displayed on the Certificates, identifiers and profiles page? All I have access to through apple is the Payment processing certificate, Merchant identity Certificate and the merchant domains (.txt files). I can't believe there has been no resolution to this issue. I have seen similar threads dating back several years.

Same here, Apple still hasn't fix their bug about auto renewal check.

Very annoying, have to manually upload file and verify again.

We're using Cloudflare to auto renew certificate (90 days validity period), and the certificate we are using is Google Trust Services.

Having same issue.

Same here

How can I stop needing to verify my Merchant Domain manually every month?
 
 
Q