Discussing APIs and development related to customers, discounts, and order management.
Hi Forum,
We are developing a payment app and we understand the below requirements. However where does the payment app actually upload the / provide the signed SSL?
We have reviewed https://shopify.dev/apps/payments#mtls-configuration, however this does not address where / how the certificate is to be uploaded? Any help would be great!
Because mTLS is mutual, the payments app also needs to provide a certificate that Shopify will validate. For this certificate, you need to use a Trusted CA Signed SSL Certificate, and not Shopify’s self-signed CA.
I have the same issue, did you solve it?
I have solved the issue.
First of all, we do not need to upload any certificate.
Second, we could configure our certificate by nginx.
could you please explain how did you do that ?
Hi,
It took me a lot of time trying to do this at code level but could not implement it.
At the end, I was able to configure this at server level using Apache. Below is the configuration.
Implement a set of Apache 2.4 directives, shown below, that require the client to support mutual TLS. They can be applied to specific directories or to all incoming connections. See the Apache2.4 SSL documentation for more information.
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /etc/apache2/conf/shopify_root_cert.pem
Your web server is now configured to use mutual TLS to require the client (Shopify) to provide its certificate to identify itself. The next step is to use the client’s identity for access control. This example for Apache 2.4 is applied to a specific directory.
<Directory "/payments">SSLOptions +StdEnvVars</Directory>
The above example sets the SSL library to create environment variables with information from the client’s certificate.
I hope this helps.
@Sushant you use the certificate in https://shopify.dev/apps/payments#shopifys-self-signed-ca
as /etc/apache2/conf/shopify_root_cert.pem ?
Please if you know how to set this configuration on NGINX, let me know.
Thanks
For Laravel hosted on Nginx server, I was able to make it work like following. I combined the Shopify certificates into one file and applied optional checks for specific payment routes.
ssl_client_certificate /home/app/client_certs/shopify.crt; ssl_verify_client optional; location ~ ^/(initiate|refund|capture|void)$ { if ($ssl_client_verify != SUCCESS) { return 403; } try_files $uri $uri/ /index.php?$query_string; } t
Hello,
I have applied your suggestion, but ssl_verify_client should be on, not optional. This way it maches the certificate ?
I use also nginx, i didn't get to make this work. Anyone has some info ?