2

We have a domain with Let's encrypt certificates which are renewed every three months. However every time the certificate is near its expiry (today is 11th July, the certificate expires 21st July), I am receiving an email from Apple:

Apple Developer

Dear Admin,

Your website domain that uses Apple Pay has an SSL certificate that expires on Jul 21, 2022. After automatically trying to reverify your domain, we found that this SSL certificate has not been updated. Your domain is automatically checked 30 days, 15 days, and 7 days before this expiration date.

If you have an updated SSL certificate and the domain hasn't been successfully verified 7 days before expiration, please revalidate it manually by Jul 21, 2022 in Certificates, Identifiers & Profiles to ensure uninterrupted use of Apple Pay on your website.

However once the certificate is renewed, I always have to login into Apple developer console, download new apple-developer-merchantid-domain-association.txt and deploy it again to our website.

This is time consuming and inefficient. Is there other way to do this instead of reuploading this file every three months?

Dai
  • 141,631
  • 28
  • 261
  • 374
Vojtěch
  • 11,312
  • 31
  • 103
  • 173
  • Is this a customer-facing domain-name, or a domain-name that is only used by Apple's payments system (or other back-end system) to communicate with your service? If it's the latter, then you could use an old-fashioned annually renewed (i.e. non-ACME) certificate just for that domain name. – Dai Sep 04 '22 at 17:39
  • It is our public domain, widely used by regular internet visitors. I could of course use some non-ACME cert, but this is not a solution I would like either :-) – Vojtěch Sep 05 '22 at 08:10
  • Are you certain that your certificate is renewing more than 7 days before expiration? I've seen some managed hosting services renew their Let's Encrypt certs *at* 7 days before expiration and it caused issues for us. – BrokenBinary Sep 09 '22 at 02:30
  • @BrokenBinary I can see the certificate already renewed and only after that I have to reupload a new *domain-association file as the Apple environment keeps saying the validtion is invalid. – Vojtěch Sep 12 '22 at 06:06

1 Answers1

0

The current line of thinking is to renew certificates every 90 days. Apple is automatically checking, per your email, at 60, 75, and 82 days.

If you altered your Let’s Encrypt automation to renew your certificate every 50 days, Apple’s automatic checks should resolve the issue.

Per Apple's documentation:

If you update the SSL certificate before it expires, Apple detects the renewed certificate and the domain remains verified. No further action is required on your part.

James Risner
  • 5,451
  • 11
  • 25
  • 47
  • I did not change any automation to renew as the certificate is renewed automatically by Fastly. It seems to me that once it is renewed, the Apple reauthorization is necessary in all cases. (the downvote is not from me) – Vojtěch Sep 12 '22 at 06:05