Develop Reference

Sign In with Apple: verify my domain not working

I was integrating Sign in with Apple in my mobile app. I followed the configuration steps provided in the developer portal and downloaded the apple-developer-domain-association.txt file and placed it on my server at the given path. Now the file is loading from web browser but I'm not able to verify my domain on Apple developer account. Its giving me an error message "Verification failed for domain".
Anyone got same issue? how to get verified sucessfully

To verify domain to configure Sign in With Apple apple-developer-domain-association.txt file must be accessible publicly.
https://{YOUR_DOMAIN}/.well-known/apple-developer-domain-association.txt
Make sure
Domains and domains associated with email addresses must comply with Sender Policy Framework (SPF) standards.
Must be accessible via https. http doesn't work.
No redirect not even to wwww. Example url mentioned above must serve the apple-developer-domain-association.txt file without any redirects.
Hint: if you are serving apple-developer-domain-association.txt with www than you must register domain www.{YOUR_DOMAIN} white configuring sign in with apple configuration on developer.apple.com. To do that you have to make sure www.{YOUR_DOMAIN} is SPF compliance.

In continues and addition to #Bilal
A. If the domain is not SPF compliant you will be noted immediately when trying to add it in the developer portal
B. If you not sure whether your site is redirected yo can check it in http://www.redirect-checker.org/ or just use postman and disable 'Automatically follow redirects' option in the request settings
C. Apple require that your server must support the Transport Layer Security (TLS) 1.2 protocol and one of the cipher suites listed below:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
For me the problem was the www redirect I had no clue our servers do that, my devops helped me solve this just for the verification.
Best solution IMO is just use your own relay microservice with a unique dedicated domain...

To expand on #MTZ4's response (upvoted BTW because you nailed it), here is the process that I needed to work through, with some pointers to anyone else not quite as familiar with working through these types of problems.
In my case, I had CloudFlare dealing with both the DNS and TLS cipher certificates and Heroku serving the site.
The first step is determining whether your TLS provider serves the appropriate TLS ciphers required by Apple.
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
One of the easiest way's to do this is by using SSL labs certificate checker. Simply enter your root domain and let the report run (takes a few minutes). In the report response, look for the section Cipher Suites and verify the TLS ciphers Apple wants are available. In the image below you can see them in orange and marked as weak.
You can ignore the weak status, this is because these ciphers do not use ephemeral keys and will not be used in TLS 1.3.
If you want a more comprehensive test, install NMAP and then download the ssl-enum-ciphers script. After installing NMAP and downloading the script, execute the script against your domain:
nmap --script ssl-enum-ciphers -p 443 my-root-domain.com
This produces a result set that looks like this:
Once again look for the TLSv1.2 section and check your list of ciphers against Apple's list. If they are not present (they are missing in the image above), then that is where your problem lies.
So how to fix? Well there are a few options and it all depends upon your TLS provider, which may be your web host or may be your DNS host depending upon your configuration.
For us, we are using CloudFlare as our DNS provider. CloudFlare also provides the TLS ciphers. Because CloudFlare does not support the ciphers Apple requires (the NMAP image above) and they won't add them due to their security concerns about TLS 1.2 and moving to TLS 1.3, we had to disable CloudFlare's proxy service to allow the TLS certificates that were being provided by our hosting service (Heroku).
This turned out to be easy. Just logging into CloudFlare, going to the DNS entries and changing the traffic routing behavior (click the orange cloud to make it grey for verification, then click it again once verification is done). For more information see CloudFlare's support page.
After doing this, Heroku was serving the TLS ciphers, which include the Apple required ones (as shown in the SSL Labs image above).
Ultimately whoever is serving your TLS ciphers must include the ones Apple needs. If your tests above don't show the correct ciphers, check your DNS/TLS service and your hosting provider to see if they support them. If they don't, then you may need to switch.
Finally, it is also worth noting that in Apple's developer portal, when you click the download button for the verification file, do not click it again! Each time you click the button, the verification file changes as it seems to be dynamically generated.
Just fix all the TLS issues, then log into the Apple developer portal, download the file, upload to your server and then verify.
I did end up working with Apple support on some of this and they are looking at adding some documentation to the verification page that states what ciphers are needed so others don't hit the same problems.

I'm running node js and express and had the issue because I bought a cheap SSL cert from Sectigo.
Here's what I did to fix it.
Check your SSL certificate for errors https://www.digicert.com/help/
I had to install an intermediate certificate. That solved the issue.
If you perform the check in Safari, it won't give you a confirmation that the domain is verified.
Instead, perform the check in Chrome and it will give you a confirmation.
Inspect the HTTP header coming back from your server. If it's a 301 Apple won't follow it. Instead, the verification file must be returned via 200 HTTP status code. The verification file I'm referring to is https://example.com/.well-known/apple-developer-domain-association.txt where example.com is your domain.

If you are using Cloudflare free tier, upgrading to the PRO plan (currently $20/month) does the trick. All their paid plans include the required ciphers.
And of course, you can always cancel the plan after verifying and go back to free.

NET::ERR_CERT_AUTHORITY_INVALID https in red color

When i try to access my ruby site from android mobile device i get following error, can anyone help me solving this problem.
With following added error NET::ERR_CERT_AUTHORITY_INVALID

You need to add intermediate certificate file in your nginx configuration. Here is the powerfull tool by zakjan to obtain the intermediate certificate files using your main certificate, Store obtained crt file to your server and mentioned it in the nginx.conf in ssl_certificate

If it's not self-signed then one of certificates in your ssl certificate chain may use vulnerable encryption algorithms like SHA-1. Check what encryption each certificate uses (you may do it on PC). Probably you will need to find ssl registrator which does not uses old encryption algorithms.
you may use https://www.ssllabs.com/ssltest/ to check if your site has issues with SSL configuration or certificate itself.
In fact i just checked it and here's result http://i.imgur.com/X9dPX8Q.jpg . The vulnerabilities it output could be the reason why mobile chrome is not trusting the certificate and shows you warning.
Another possible issue is man in the middle attack on your device. What network are you using? is it the same as your PC network? if not, it could be mitm attack on you.

Delphi Indy 10 TCP Server/Client and SelfSigned Certificated

I state that I am not an expert.
I'm trying to create a TCP server / client encrypted. I have implemented SSL, and I created a key selfsigned and its certificate.
I realized, thanks to many post also read on this site that i do not need to use the certificate. I refer in particular to a user's response Remy Lebeau: Delphi Indy - How to get SSL certificates for a SSL-TCP Client/Server link with Indy 10
Now I was wondering if you can, somehow, prevent attacks man in the middle.
Or rather, if I implement the code of the app the signature and fingerprint of the certificate and verify during event OnVerifyPeer is enough?

Are SSE messages encrypted over an https connection?

Say I configured my NGINX server with SSL and
I am able to establish and keep a server sent events connection
to my Rails server.
Would every message from thereon from Rails to my browser be
undecipherable to any prying eyes on the Internet.
Moreover would I be even able to establish such a connection? Since all I hear is that SSE works over http.

Yes.
Be aware that connecting from an http html page to an https SSE URL counts as a different origin, meaning you will hit CORS restrictions.
According to a footnote in my book (Data Push Apps With HTML5 SSE) Chrome was not accepting self-signed SSL certificates for use with SSE, as of early 2014. (But it was also not accepting them for XMLHttpRequest, i.e. ajax, either.) (A quick search shows people still posting bug reports about self-signed certificates not working, so this might still be the case.)

API only works when fiddler is running

I've written a utility app for loading data into shopify through the rest API.
Having a strange error where the api only works when I'm running Fiddler.
Any idea what's going on? I'm sure it's a configuration issue rather than a code issue.
When Fiddler is running web access is through a proxy on 127.0.01:8888.
I'm not advanced enough on SSL to figure this one out. Do you need a self signed certificate to connect to an SSL API.
I found a few posts suggesting setting ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls but that didn't fix it!

>> Do you need a self-signed certificate to connect to an SSL API.
We faced similar issue with our application. If API has any certificate errors (In our case, we are using self-signed certificate), Browser will not allow you to interact with API.
Solution : Install your root Certificate, so that browser will start honoring your self-signed certificate.
>> Having a strange error where the api only works when I'm running Fiddler. Any idea what's going on? I'm sure it's a configuration issue rather than a code issue.
Whenever you enable HTTPs traffic decryption in fiddler (see below image for enabling this setting in fiddler), below things will happen.
Fiddler will automatically install its root certificate
"DO_NOT_TRUST_FiddlerRoot" to Browser's CA list.
Fiddler will use your API's self-signed certificate to decrypt HTTP traffic.
Again fiddler will encrypt same HTTP traffic using fiddler signed
certificate, i.e, for all your API calls will have fiddler signed
certificate
As fiddler signed certificates are trusted by user browser (due to step#a), you will not see any certificate errors.
Hope this information helps you!

Turns out I was setting SSL type to SSL3.
i.e. I had this code
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
and shopify doesn't use SSL3 any more.
Turns out it was nothing to do with installing certificates.