#stephricardo-applepay-verification

Not immediately sure. Can you provide your account id? That will help me look closer at your setup

Can I send this to you via a direct message?

Sure, or you can send it in this chat

I can use it to look up further info but others cannot

Whichever you would prefer

Thank you again!

So it looks like I was accessing your file incorrectly before

If I use curl to access the apple-developer-merchantid-domain-association file from one of your working domains I actually see the file
curl -s https://working-subdomain.yourwebsite.com/.well-known/apple-developer-merchantid-domain-association

But if I do that same curl command pointing at the domain that is having issues I get an HTML response

So the issue appears to be that that path at the subdomain you are having an issue with is not directly serving the domain association file

If you do curl at the domain that isn't working do you recognize what is getting sent back?

When I visit the path in my browser, I am able to see if successfully. When I try the curl command, I get back the file data as the response

Yeah same. I did browser too at first which somehow overlooked this

When I use the curl command on another subdomain that registered successfully, it returns the same output

Oh interesting. As in for both of them you get the domain association file?

Or both you get the HTML? I am still seeing different responses

I see the same domain association file for both responses

When I use curl on the domain that has an issue, I see only the domain association file data returned. I am not seeing html in the response.

When I use curl on a domain that registered successfully, I see the same domain association file data as the response too

Hey sorry for the silence here. Still looking in to this. Many of my colleagues can see the file when they do the curl command that most accurately simulates how Apple tries to pull your domain file. curl -v --compressed https://subdomain.yourwebsite.com/.well-known/apple-developer-merchantid-domain-association -H 'Accept;' -H 'Accept:' -H "Via: https/1.1 usatl4-edge-bx-014.ts.apple.com[11FD071B] (ApacheTrafficServer/6.1.2)" -H "User-Agent: oslopartner Client 1.0" -H "Accept-Encoding: gzip"

It looks like the colleague and I that are getting the strange HTML are getting something from cloudflare so something may unexpectedly be getting cached

The next steps we'd recommend disabling any kind of firewall/bot/DDOS protection for these URLs, and make sure Stripe's IPs (https://stripe.com/docs/ips#webhook-notifications) and Apple’s (https://developer.apple.com/documentation/apple_pay_on_the_web/setting_up_your_server , bottom of the page) are allowed to access them without restriction

No problem! Thank you for your help! So due to this it could occur at any time for any subdomain? Ok. When I run this curl command for the domain with the issue, I do see the expected association file output. I will check out the docs.

We won't be able to disable any protection we have, but we can look into the allowed ips! Thank you!

I am unsure, I will consult my colleagues further on this. Will get back with what I hear.

Sounds good, let me know if that helps. If it doesn't I will see what else can be done

Ok! Thank you so much! I really appreciate the investigation here. Those docs are really helpful. I will let you all know if we encounter further issues.

So I think for this you should just need the webhook notification IPs for this. Those would our IPs that would reach out to your server, the fuller list would include IPs you reach out to

Got it. Thank you!!

I appreciate you reopening this to answer the question.

Hope you have a good day!

Of course. Let me know if that helps. I've still been having trouble finding out exactly what is failing here so I'm still unsure on your "can this happen to any subdomain at any time" question.

Yeah, I'm hoping this will help resolve the issue. We'll reach out if we find it continues and we can't register this domain once we've applied our changes.

@tropic pagoda hello! reopened this cause we have IDs and some state here, looking one sec

Thank you @oblique mantle!

@tropic pagoda so some of us are still seeing a different response when making that curl command

When you can, could you please send the response you see as a direct message?

Thank you for looking into it @oblique mantle . So you see an html page?

I think the first few times, Pompey was seeing some html/js being spit out but now is seeing the response, so I'm not sure what it is but maybe some Cloudflare config that isn't returning the file immediately?

We'll double check. We haven't been able to replicate this issue on our end.

Can any of the js/html output that was seen please be shared? Did you or a member of the team see this output today after the allowed IP changes we made?

Pompey saw it today but is in a meeting but I'll ask them if they have that output still open, to share

Ok. Thank you @oblique mantle!

This is the response I see when I run curl -v --compressed https://yoursubdomain.yourdomain.com/.well-known/apple-developer-merchantid-domain-association -H 'Accept;' -H 'Accept:' -H "Via: https/1.1 usatl4-edge-bx-014.ts.apple.com[11FD071B] (ApacheTrafficServer/6.1.2)" -H "User-Agent: oslopartner Client 1.0" -H "Accept-Encoding: gzip"

Thank you! I will follow up soon.

Feel welcome to archive the issue if needed, and I can reach back if we haven't found the issue. I appreciate all your help!