mTLS validation and ngrok

Question

I'm developing the integration of a Payment Method to Shopify which asks me to validate their (as client) requests using mTLS.

Payments apps must implement mTLS to handle all* requests where they are acting as the server and Shopify as the client. This is the case when Shopify initiates sessions with payments apps. In those cases, Shopify uses it's own client certificate. Payments apps must use the self-signed CA provided below in order to validate that certificate. Using mTLS in these scenarios allows payments apps to verify that the client initiating the request is Shopify and that the traffic between Shopify and the payments app is trusted and secure.

I'd used ngrok tunnels in many other integrations with Shopify, but since they were not a payment application, Shopify didn't require mTLS, so I had no problems using the tunnels.

Now that I make the client certificate validation in the server:

 https
  .createServer(
    {
      requestCert: true,
      rejectUnauthorized: true,
      ca: fs.readFileSync(path.join(__dirname, 'security', 'ca.pem')),
    },
    app
  )
  .listen(APP_PORT, () => console.log(`Server listening at: ${APP_URL}`));

Where 'ca' point to the certificate that Shopify give me in the documentation:

When I try to access my ngrok url i get this message:

ngrok gateway error

The server returned an invalid or incomplete HTTP response.

ERR_NGROK_3004

Looking in the ngrok documentation, I found that it's possible to use TLS tunnels.

The first question is: If I use a TLS tunnel, I won't get that error anymore ?

On the other hand, Shopify also requires that:

The payments app also needs to provide a certificate that Shopify will validate. For this certificate, you need to use a Trusted CA Signed SSL Certificate, and not Shopify’s self-signed CA.

The second question is: When I put the app in a server with an HTTPS certificated URL, i understand that I will fulfill this requirement. But I would like to know if while Im locally developing the app, It's ok to use a certificate generated, for example with openSSL

The reason I ask for your help and don't try to use a mTLS tunnel is that you need a ngrok paid account to access that type of tunnel, which i don't have.

Thank you very much.

---

Im using using Node + Express for the server.

Shopify Documentation: https://shopify.dev/apps/payments/general-transaction-requirements

Answer 1

I ended up sending the following email to ngrok support:

Hi there my name is Juan and I would like to know if you can help me with the following:

I'm developing the integration of a Payment Method to Shopify which asks me to validate their requests using mTLS.

I'd used ngrok tunnels in many other integrations with Shopify but didn't require this particular validation and i had no problems with them.

Now that I make the client certificate validation in the server, when i try to access my ngrok url i get this message: ngrok gateway error The server returned an invalid or incomplete HTTP response.

ERR_NGROK_3004

Looking in the ngrok documentation I found that it's possible to use special TLS tunnels.

The question is: If I use a TLS tunnel I wont get that error anymore ? I write to you because if it does solve the problem I will ask my company to upgrade my plan so i can have access to the TLS tunnel. But I wanted to be sure that it will fix the problem before asking.

Thanks you very much.

And they answer with the following email:

Hi Juan,

We do support mTLS at our edge for HTTP tunnels. You would create an endpoint configuration of the mutual TLS type and attach it to your domain.

https://dashboard.ngrok.com/endpoints/configs

We also support mTLS at the agent or at your server for our TLS tunnels as you say but this may be more complicated to set up.

If it doesn't work, we do have a 15 day money back guarantee.

Ben

Since it was not possible for me to pay the account and access to these features, I ended up developing the app in a stage server, where I had no problems. I hope that this help you! :)