Super Bot Fight Mode is blocking Apple Domain Verification Through Stripe

For Workes & Pages, what is the name of the domain?

What is the error number?

403

What is the error message?

We attempted to retrieve the file at https://presale.hobbysmartcase.com/.well-known/apple-developer-merchantid-domain-association, but received a 403 status code from your server. Please check that the file is hosted correctly. Note that our servers most likely send different HTTP headers than your browser; you should check your logs to see why the request failed. For more information, see Register domains for payment methods | Stripe Documentation.

What is the issue or error you’re encountering

Super Bot Fight Mode is blocking Apple Domain Verification Through Stripe

What steps have you taken to resolve the issue?

Changed the settings in Super Bot Fight Mode so Definitely automated is set to Allow

What are the steps to reproduce the issue?

I was trying to connect a domain to Stripe. Stripe uses these domains for Apple pay.

I was able to access the Apple verification file in /.well-known/ directly. However when Stripe tried to verify the domain it was throwing an error saying that file was throwing a 403.

When I turned off bot blocking as described above Stripe was able to verify the domain. It seems that Super Bot Fight Mode has blocked the Apple Verification bot. Those domains/IPs are visible here: Setting Up Your Server | Apple Developer Documentation

Is it possible to allowlist those?

You can create a WAF custom rule to skip Super Bot Fight mode for the IP addresses in the list.

Ok I will try that out

Tried that and it didn’t work. Had the same original error. This is the rule that I set up. Does it look correct? The IPs are from the Apple documentation from the initial post.

Screenshot 2024-08-02 at 1.34.01 PM2310×2314 386 KB

You are entering that under the Managed Rules. Instead you need to create it under the Custom Rules as you want to specifically skip the Super Bot Fight Mode as you say that’s what is blocking the requests from Apple.

If unsure, check your security event log which will tell you why the request was blocked and then you can craft the rules accordingly…
https://dash.cloudflare.com/?to=/:account/:zone/security/events

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

What is the name of the domain?

temp56.launchboom.co

What is the issue you’re encountering

Super Bot Fight Mode is blocking Apple Domain Verification Through Stripe

What steps have you taken to resolve the issue?

Created a list of IPs and a custom rule to allow these IPs

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Off

What are the steps to reproduce the issue?

I was trying to connect a domain to Stripe. Stripe uses these domains for Apple pay.

I was able to access the Apple verification file in /.well-known/ directly. However when Stripe tried to verify the domain it was throwing an error saying that file was throwing a 403.

When I turned off bot blocking as described above Stripe was able to verify the domain. It seems that Super Bot Fight Mode has blocked the Apple Verification bot. Those domains/IPs are visible here: Setting Up Your Server | Apple Developer Documentation

Then created a custom list of the IPs and a custom rule to allow these IPs. In the Super Bot Fight Mode settings turned the Definitely automated bots back to managed challenge.

It did not fix the issue.

Screenshot of the error

Screenshot 2024-08-14 at 3.57.53 PM.png2426×2732 394 KB

This is a screenshot of the custom list

Screenshot 2024-08-14 at 3.58.04 PM2720×1902 280 KB

If you are using the Stripe for the Apple Pay, you may have to allow the IPs from Stripe