merchant : Verification failed for domain

You mentioned that you disabled your proxy and only use the DNS service. Has the proxy always been disabled during domain validation? The reason I ask is this will cause an issue when Apple server's are trying to verify your domain.

| and I use a proxy (cloudflare ) and I disabled the cach and make it only dns.

Also make sure that Apple servers can reach your server to perform domain verification. If required, please allow the following Apple IPs access to your server:

17.150.31.53

17.151.140.51

17.160.220.37

17.160.220.39

I see that this server is performing OCSP stapling and verification. Is the certificate that is being used here from a known certificate authority or is this an in-house certificate from a local authority? The reason why I ask is because I want to rule this out as a possible cause as well.

Note that the domain verification file will expire after 7 days.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Hi there

I create a new domain with new server

and I make it dns only without caching

and I use let-encrypted certifice

this is my file verfication .

this is my ngix conf

# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/XXXX.***.sa/***/*;


server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ***.***.***;
    root /home/forge/XXXX.XX.***/public;


    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/***.XXXX.XX/710621/server.crt;
    ssl_certificate_key /etc/nginx/ssl/***.XXXX.XX/713626/server.key;


    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;


    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";


    index index.html index.htm index.php;


    charset utf-8;


    # FORGE CONFIG (DO NOT REMOVE!)
    include forge-conf/XXXXX.***.***/server/*;


    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }


    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }


    access_log off;
    error_log  /var/log/nginx/XXXX.XXXX.X-error.log error;


    error_page 404 /index.php;


    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }


    location ~ /\.(?!well-known).* {
        deny all;
    }
}


# FORGE CONFIG (DO NOT REMOVE!)
include forge-conf/XXXX.***.X/after/*;

Thank's for confirming that DNS is in use. What about any network proxy?

Did you have any luck with allowing access for the Apple IPs?

In looking at you nginx config, what is the following lines doing?

location ~ /\.(?!well-known).* { 
    deny all; 
}

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

No network proxy , and no luck for any ips , everything is allowed.

and about ngix config is created by forge.laravel.com and it is default configration and I removed this lines but also the problem still happen

From here my recommendation would be to turn on and configure verbose access logs such that you can see when requests are coming into nginx for your domain verification. Restart nginx and test your domain verification. If you can see the request coming in to perform domain verification, the request was served properly, and you are still getting an error message, then you know something is wrong with the text verification file. If you cannot see these requests coming through the access log then you know you have a routing and access issue to your server that you need to resolve.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

I change the nginx log to debug and I found the request but I have error

2020/01/30 21:10:35 [debug] 31149#31149: *2 SSL_do_handshake: -1
2020/01/30 21:10:35 [debug] 31149#31149: *2 SSL_get_error: 1
2020/01/30 21:10:35 [info] 31149#31149: *2 SSL_do_handshake() failed (SSL: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL handshaking, client: 17.179.144.227, server: 0.0.0.0:443
2020/01/30 21:10:35 [debug] 31149#31149: *2 close http connection: 3
2020/01/30 21:10:35 [debug] 31149#31149: *2 event timer del: 3: 15371864498
2020/01/30 21:10:35 [debug] 31149#31149: *2 reusable connection: 0
2020/01/30 21:10:35 [debug] 31149#31149: *2 free: 0000563E27ACB560, unused: 104

I think the problem with ssl but I don't know how can solve it ? I use Let's Encrypted and Cloudflare SSL

This looks like the Apple servers are starting the TLS session and and your server is closing down the session because there is no match in ciphers between your server's certificate and Apple's server.

| 2020/01/30 21:10:35 [info] 31149#31149: *2 SSL_do_handshake() failed (SSL:

| error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher) while SSL

Check that your domain certificate supports one of these chipher suites:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

I'm sorry how can I check ?

I use a free ssl ( https://letsencrypt.org/ )

There are tools like OpenSSL that allow you to check the supported cipher suite for certificate. You certificate authority will probably be able to provide more insight into this as well.

As a side note, I made a connection against your validation file and my connection used a cipher that is only supported in TLS 1.3. So I would check with your certificate authority to review the cipher list with the one's I provided in a previous response.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

I purchased a Cloudflare dedicated SSL ($5/month). And the domain verification passed.