Apple Pay, domain verification automatic renewal not working

Hi everyone,

We are integrating Apple Pay on the Web, and we're trying to get the automatic renewal of the domain verification working according to the documentation: https://developer.apple.com/documentation/apple_pay_on_the_web/maintaining_your_environment

Initially the domain verification is successful, but then the automatic renewal does not work. We keep getting the emails with the subject "Your domain will expire soon.", but they only say "We were unable to automatically to reverify your domain." without any further details.
We confirmed that the site's SSL certificate has already been renewed by the time Apple attempted the renewal of verification, the certs are renewed 30 days before their expiry (using Let's Encrypt). So according to the docs, at least the renewal attempts 15, and then 7 days before the expiry should be successful.

One example domain is this one: https://www.kayak.com/.well-known/apple-developer-merchantid-domain-association.txt, but we have the same issue for all our other domains as well.

Does anyone have suggestions how to troubleshoot this further?

(I tried creating a support ticket, but they basically replied that they're non-technical, and just linked me to the documentation.
I've seen others complaining about this too, but couldn't find a conclusive solution, so I thought I'd signal boost and create a fresh topic to see if there are any more recent findings about this problem.)

Thanks!
Regards,
Mark

Post not yet marked as solved Up vote post of markvincze Down vote post of markvincze
2.5k views
Posted by
markvincze
Reply

  • Watching this thread, please let us know if you found a solution, this problem is very annoying. We are using Let's Encrypt also, so having to manually revalidate several domains every 3 months is annoying and risky (sometimes the system isn't working or down, so risk not being able to renew in time). Even if we switch to a different SSL provider, they limit certs to 1 year now, so not like before where this was just a once every 3 to 5 year problem.

    applepaytesterpc
Add a Comment

Replies

Watching this thread too. The SSL certification was renewed (Let's Encrypt) some weeks ago, but Apple failed to detect the new certification and sent warning email. After updating apple-developer-merchantid-domain-association.txt to new one and verify MANUALLY, the new SSL certification is detected.

Posted by
ToroLiu520
Post not yet marked as solved Up vote reply of ToroLiu520 Down vote reply of ToroLiu520
Add a Comment

We are also having this problem... We have to manually upload the txt file to get the domain validated. Please let know if there is any solution to this.

Posted by
KarelCech
Up vote reply of KarelCech Down vote reply of KarelCech
Add a Comment

Did you ever figure this out or did it resolve itself? I received the 30-day notice email and promptly updated the domain. I clicked the verify button, which took me to the download/verify page. I downloaded the new file, uploaded it and everything was working fine. Clicked the verify button and it goes back to the Configuration, identifiers and profiles page.

The verify button is still available (rather than greyed out) and the expiration date does not update. I have done this multiple times with the same results. Figured that per Apple's documentation stating that they check every 30, 15 and 7 days out, that I could wait until 15 days and the date would change. 15 days passed yesterday and still the same. Downloaded and uploaded a new .txt file and re-verified even after removing the domain completely. Verified fine but the expiration date is the exact same as before...prior to remove the domain...

Any thoughts? Again, I am just going to leave it and pray that on the 7th day, the expiration date just updates itself...otherwise I am not sure what to do.

All of the other certificates have expiration dates way later this year. The only thing that is expiring any time soon is one of our three merchant domain verification txt files. Do I perhaps have to just make a totally brand new merchant identity certificate and renew everything?

Posted by
ewrjontan
Up vote reply of ewrjontan Down vote reply of ewrjontan
Add a Comment

Same here, we use Cloudflare to automatically renew the SSL certificate: Universal certificates issued by Let’s Encrypt or Google Trust Services have a 90 day validity period. Cloudflare tries to renew the certificate since 30 days before expiration.

I also read the document and thought that after we updated the SSL certificate, "Apple detects the renewed certificate and the domain remains verified", and extend the expiration check according to the renewed certificate.

But that did not happen, here is an example: SSL certificate expiration date: 5/15

  • 4/17: Receive first warning email (i.e. 30 days before expiration)
  • 4/17: Cloudflare renews the certificate, not sure before or after Apple's check
  • 5/2: Receive second warning email (i.e. 15 days before expiration)

We have to manually update the apple-developer-merchantid-domain-association.txt and verify again.

Posted by
SamuelCai-ChanceTop
Up vote reply of SamuelCai-ChanceTop Down vote reply of SamuelCai-ChanceTop
Add a Comment

There is another thread, should be a bug: https://developer.apple.com/forums/thread/663425?answerId=751888022#751888022

Posted by
SamuelCai-ChanceTop
Up vote reply of SamuelCai-ChanceTop Down vote reply of SamuelCai-ChanceTop
Add a Comment