Domain verification failed

App & System Services Apple Pay
talal2020
talal2020 OP
Created Jun ’20
Replies 7
Boosts 0
Views 10k
Participants 6

Dears

when I try to verify a domain
its show this error


" Domain verification failed. Review your TLS Certificate configuration to confirm that the certificate is accessible and a supported TLS Cipher Suite is used. "


I'm using Cloudflare SSL certification

Replies  7
Boosts  0
Views  10k
Participants  6
Apple Staff, Systems Engineer
Systems Engineer OP
Apple
Jun ’20

Yes, it looks like either the Apple Pay servers cannot access your certificate or it was not able to be used for Apple Pay on the Web due to the Cipher Suites on the certificate.


1) Make sure the domain you are verifying is not behind a proxy.


2) That your certificate is using at least TLS 1.2 with one of these Cipher Suites (Prefer Elliptic Curve):

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256


3) If your domain is not publicly accessible you may need to provide access to these IPs for verification:

17.32.139.128/27

17.32.139.160/27

17.140.126.0/27

17.140.126.32/27

17.179.144.128/27

17.179.144.160/27

17.179.144.192/27

17.179.144.224/27

17.253.0.0/16


4) If you are unable to find the issue try setting the server access logs to verbose and retrying the domain verification. The logs should tell you where the breakdown is.


Setting Up Your Server

https://developer.apple.com/documentation/apple_pay_on_the_web/setting_up_your_server


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

0
RayYen
RayYen OP
Nov ’20
Hi,

I am encountering the same issue. I purchased both the domain name and SSL from GoDaddy and have properly setup. Recently I change to Cloudflare's DNS to take advantage of the CDN. So certainly I must turn on the proxy on Cloudflare. When I was trying to verify a domain in order to provide Apple Pay on my website, it showed the error message talal2020 mentioned. Then I turned off the proxy on Cloudflare and verified again, it was successful. Although the status is now "verified" I'm afraid that if I turn on the proxy again will result in failure when paying via Apple Pay on my website.

Is there any way that I can use Cloudflare's proxy and provide Apple Pay as well on my website?
1
Apple Staff, Systems Engineer
Systems Engineer OP
Apple
Jun ’21

You say "Prefer Elliptic Curve". But all cipher suites you listed are RSA ones.

You are correct, this list is old. I was recently part of an effort to get this list updated to the current one that includes RSA and Elliptic Curve Ciphers (r. 70349430).

See the updated list here.

Regarding:

However domain verification fails and our server log says "none of the cipher suites supported by the client application are supported by the server". Please advise

If you are unable to work through this, please open a TSI and I can look deeper into this. Please reference this Forums post on your incident.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Apple Staff, Systems Engineer
Systems Engineer OP
Apple
Jul ’21

@30e525f9

We have an incident open for over a week, its number is 770249757

Yeah, I did not see 770249757 anywhere in the DTS system.

Regarding:

Here is a TSI case ID: 101414548327 Dear Matt. We're still waiting for any reaction on the Technical Support ticket from Jun 22. BTW its ID is 101417655497

This is also not a DTS Incident number: 101417655497. This is another team here at Apple, but I am unable to see which one.

What is the status of the issue? Are you still not able to get your domain verified?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Apple Staff, Systems Engineer
Systems Engineer OP
Apple
Jul ’21

You can open a TSI, or a Code-Level Support incident, here.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
30e525f9
30e525f9 OP
Aug ’21

A short summary for this issue.

Apple server uses insufficient set of cypher suites:

  • Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
  • Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
  • Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
  • Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
  • Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
  • Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
  • Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
  • Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
  • Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)

So if anybody else uses ECC certificate be aware the suites above are all RSA.

Going to submit a bug report now.

0
hashtech
hashtech OP
Oct ’22

Hi I was facing similar issue.

Simple Solution which worked for me Add a Intermediate chain of SSL certificate on your server.

For example, on Apache add certificate chain and add to your configs SSLCertificateChainFile /etc/pki/tls/certs/chain.crt

0
Domain verification failed
First post date Last post date
 
 
Q