Unable to re-verify Merchant Domain

Question

Created Jun ’21

Replies 1

Boosts 0

Views 2.5k

Participants 2

We have had Apple Pay enabled on a domain, and been able to re-verify by downloading and uploading apple-developer-merchantid-domain-association.txt files on our staging and production environments without issue for about a year.

During the most recent attempt to re-verify the domains, we are receiving:

Domain verification failed. Review your TLS Certificate configuration to confirm that the certificate is accessible and a supported TLS Cipher Suite is used.

I've asserted that:

Our SSL certificate has TLS 1.2 supported
That our cipher suite (ECDHE-RSA-AES128-GCM-SHA256) is supported
That the file at {DOMAIN}/.well-known/apple-developer-merchantid-domain-association.txt is reachable, and does not hit cache, or redirect
That the above file is accessible via browser from a variety of IPs
That while requests from a browser to the file are being logged, when I attempt to verify, I do not see requests from the Apple IPs (found here) getting to the server

Is there anyway to get more information regarding why the domain verification tool is failing to verify?

I've tried reaching out to Apple Pay support, but have been redirected several times.

Boost

Answer 1

Systems Engineer OP

Apple

Jun ’21

Thank you for confirming these items. It looks like this is the key part to debug further:

That while requests from a browser to the file are being logged, when I attempt to verify, I do not see requests from the Apple IPs (found here) getting to the server

While the link did come through, I suspect you are referring to the Apple Pay Setting Up Your Server guide, here that contains all of the Apple Pay Server IPs.

Is there anyway to get more information regarding why the domain verification tool is failing to verify?

For your situation it sounds like you will want to try and trace the route that is being taken to your server to see where these domain verification requests are getting lost or possibly failing. For example, work your expected network topology backwards until you cannot find the IPs from the Apple Servers in the access logs anymore. This would be a likely place to debug a breakdown.

If you do end up finding that the verification requests are hitting your server, then you may need to increase the log level at which your servers are emitting logs to get a better handle on why you are receiving a TLS failure.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0