How can I stop needing to verify m… | Apple Developer Forums

Developer Forums

Our client's site uses Apple Pay, and once a month we get a series of email notifying us that the domain verification is about to expire:

Code Block Your website domain that uses Apple Pay has an SSL Certificate that expires on Oct 11, 2020. We were unable to automatically to reverify your domain. To ensure uninterrupted use of Apple Pay on your website, revalidate your domain by Oct 11, 2020 in Certificates, Identifiers & Profiles.

The site uses Let's Encrypt to automatically renew its SSL cert monthly.

Every time that happens, we need to log into the Apple Developer tools, navigate to Certificates, Identifiers, and Profiles -> Identifiers -> Merchant IDs -> ID -> Merchant Domains, then download the file and drop it onto the server with SFTP. It's a pain.

Is there a way to automate this process (or better yet, stop it from happening)? I can't imagine monthly-renewing SSL certificates is a particularly uncommon thing.

Apple Pay on the Web

9.3k

Posted by

ActualJohn

Reply

I have the same problem... did you find a solution to this? The verification is active for 2 months for me, then I have to download a new domain verification key and upload to my host. A pain in the *** when you manage several domains and merchant ids...

—
Isakd

Replies

Sorry I don't have any suggestions, but I'd love to see Apple implement a better procedure for this as well. +1

Posted by

ian-fenderton

I have the same problem.

According to the manual https://developer.apple.com/documentation/apple_pay_on_the_web/maintaining_your_environment

Make sure that the specified URL you originally used when validating
the merchant domain is accessible to Apple servers listed in Allow Apple IP Addresses for Domain Verification. The URL may be similar to
Code Block https://yourdomain.com/.well-known/apple-developer-merchantid-domain-association.

I am sure that Apple’s IP is not blocked, and Let's Encrypt SSL has automatically renew before expiring. But in access logs cannot be found these URL

Code Block  https://mydomain.com/.well-known/apple-developer-merchantid-domain-association or https://mydomain.com/.well -known/apple-developer-merchantid-domain-association.txt

What is wrong with Apple's automatic verification?

Posted by

hipfox

It seems that automatic verification does not work at all. Just manual. Problem is when using short lived certs such as Lets Encrypt. It is really bothering to always verify manually.

—
AppleDevx

I have this same problem and my certificate isn't about to expire, this looks more to be a bug in Apple's process than anything.

Posted by

jjm340123123

We have exactly the same isssue at our company. The initial verification passes, we keep the verification files on the server and still the automatic reverification fails. I even set up some logging, and I see some accesses from the IPs listed in Apples docs but they're just visits to the homepage, not the verification file. Usually there's two of them in short succession. We return HTTP 200 to both. Verification still fails :-/

Posted by

Voyta

we've got the same issue here - initial verification process passes without any issues but the reverification just never happens. SSL Certs have been renewed but apple just never gets aware of that.

Posted by

YouPlant

Have to same issue for past 8 months. Our files are merchant domain association text files are publicly accessible. We use Let's Encrypt certs that are definitely renewed at least 10 day before expiration. Generally they are renewed 30 day before. It's really frustrating to have to manually update the certs every 2 months for all our environments.

Anyone solve this for Let's Encrypt?

Posted by

dsicknl

Hi All, we are facing the same scenario here. In the end did any of you had to reupload the .txt files or take any other action. ? Domain shows as verified and our SSL certs for the server have been renewed. Or was it an issue on Apple's side?

Posted by

samidaik

Can someone from Apple respond to this? This is a bit of a deal breaker for implementing Apple Pay on our sites. We have around 300 of them and if we have to manually upload and verify for every domain AND revalidate once our SSL certs are renewed then it's not really a viable payment solution.

Posted by

nickshaw_15marketing

Any updates on this issue? Looking to automate the process, but I would need an API from Apple to query in order to pull down the domain validation string.

Posted by

wine

We are also having this issue on multiple domains. The domains will validate at first with no issue then consistently fail to automatically revalidate even when the SSL certs are properly renewed and the domain validation file still shows.

There is also no visibility into why the domains are failing validation from the developer console and no API to automate monitoring.

Posted by

pmkmobility

Dear Apple, could you please answer? It seems that automatic verification does not work at all. Just manual. It is big problem when using short lived certs such as Lets Encrypt. But also problem for long lived certs if you have many many domains. I already reported this bug via Feedback Assistant but this tool is terrible. In the past we have reported many other issues with no answers after months/years. So no hope Apple to do something with it. Apple Feedback Assistant is private so nobody sees how apple ignores developers reports. Google bug tracker is public and before adding new bug/ticket you can search if it is already reported and employees from Google response there. This apple developer forum is the worst support all over the world such as their Feedback Assistant. No answers from Apple just developer complaints. For anyone please fill in bug here https://feedbackassistant.apple.com/ Maybe it will help when many identical issues will be reported by more developers.

Posted by

AppleDevx

Very good idea, I just submitted a ticket... This shit has been bothering me for way too long already.

—
Isakd

Im sure that this is apple bug because of they do not do what is stated here:

https://developer.apple.com/documentation/apple_pay_on_the_web/maintaining_your_environment

Renew Your Domain Verification

Domain verification expires on the same date that your domain’s SSL certificate expires. Apple servers check if SSL certificates have been renewed at 30, 15, and 7 days before expiration.

If you update the SSL certificate before it expires, Apple detects the renewed certificate and the domain remains verified. No further action is required on your part.
If the SSL certificate expires and is not replaced before expiring, you must redo domain verification in your Apple Developer Account. See Verify a Merchant Domain for additional information.

Im wondered that Apple have global bug affecting each merchant and does not solve it for more than 1 year and also does not answer at all. We and many others are receiving from Apple tons of incorrect email notifications which mention incorrect (old) certificate expiration however it was renewed.

Posted by

AppleDevx

@meaton could you check this thread please?

Posted by

AppleDevx

We are having the same issue and this is a huge pain that requires attention and manual work to verify domains every 2 months. I saw a few topics exactly like this one, I wonder if Apple has on the road map to fix the issue.

Posted by

Kate_La

Same problem here, and I confirm the URL (ie https://yourdomain.com/.well-known/apple-developer-merchantid-domain-association) works and the SSL is always renewed 2 months before its expiration.

Posted by

sistemasudon