Sandbox App Store receipt cannot be refreshed because auth-sandbox.itunes.apple.com has an invalid certificate

When trying to refresh a sandbox receipt of my macOS app by using exit(173), storekitd on macOS Sonoma 14.1 logs the following (German) error:

fehler	18:32:58.421785+0100	storekitagent	com.(redacted): Failed to renew receipt for exit(173): Error Domain=AMSErrorDomain Code=100 "Authentication Failed" UserInfo={NSMultipleUnderlyingErrorsKey=(```
    "Error Domain=AMSErrorDomain Code=2 \"Ein unbekannter Fehler ist aufgetreten. Versuche es erneut.\" UserInfo={NSLocalizedDescription=Ein unbekannter Fehler ist aufgetreten. Versuche es erneut.}",
    "Error Domain=NSURLErrorDomain Code=-1202 \"Das Zertifikat f\U00fcr diesen Server ist ung\U00fcltig. Eventuell wird eine Verbindung mit einem Server hergestellt, der vorgibt, \U201eauth-sandbox.itunes.apple.com\U201c zu sein und vertrauliche Daten gef\U00e4hrdet.\" UserInfo={NSLocalizedRecoverySuggestion=Soll die Verbindung zum Server trotzdem hergestellt werden?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9843, NSErrorPeerCertificateChainKey=(\n    \"<cert(0x14f033000) s: daiquiri-ext.itunes.apple.com i: Apple Public EV Server RSA CA 2 - G1>\",\n    \"<cert(0x14f01d000) s: Apple Public EV Server RSA CA 2 - G1 i: DigiCert High Assurance EV Root CA>\",\n``

The error translates to:

The certificate for this server is invalid. A connection may be established with a server pretending to be "auth-sandbox.itunes.apple.com" and compromising confidential data.

The certificate returned by the sandbox auth server seems to be for daiquiri-ext.itunes.apple.com and not valid for auth-sandbox.itunes.apple.com.

When I try to enter https://auth-sandbox.itunes.apple.com in Safari, it tells me that it cannot establish a secure connection to the server.

curl -v https://auth-sandbox.itunes.apple.com logs this:

* Connected to auth-sandbox.itunes.apple.com (17.36.202.9) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionCountryName=US; jurisdictionStateOrProvinceName=California; serialNumber=C0806592; C=US; ST=California; L=Cupertino; O=Apple Inc.; CN=daiquiri-ext.itunes.apple.com
*  start date: Aug 28 18:07:16 2023 GMT
*  expire date: Dec 30 18:17:16 2023 GMT
*  subjectAltName does not match auth-sandbox.itunes.apple.com
* SSL: no alternative certificate subject name matches target host name 'auth-sandbox.itunes.apple.com'
* Closing connection 0
curl: (60) SSL: no alternative certificate subject name matches target host name 'auth-sandbox.itunes.apple.com'
Post not yet marked as solved Up vote post of Lextar Down vote post of Lextar
657 views
Posted by
Lextar
Reply
Add a Comment

Replies

We have the same issue all day without resolve. iOS sandbox works fine, macOS sandbox returns this error on authentication attempt.

Posted by
mgrushin
Post not yet marked as solved Up vote reply of mgrushin Down vote reply of mgrushin

  • Thanks for your reply. I'm glad I'm not the only one. I've opened a DTS yesterday, let's see.

    Lextar
Add a Comment

My DTS request was closed telling me "Please submit a complete bug report regarding this issue using Feedback Assistant".

Of course I did that before contacting developer technical support and the feedback id number was included in the DTS form (FB13353908).

I hope this gets resolved soon.

Posted by
Lextar
Up vote reply of Lextar Down vote reply of Lextar
Add a Comment

I could just successfully refresh the sandbox app store receipt of my Mac app. Yay!

I didn't try it for a few days, so I'm not sure when it started working again.

https://auth-sandbox.itunes.apple.com still returns an invalid SSL certificate for me, so maybe that was not the root cause after all.

Posted by
Lextar
Up vote reply of Lextar Down vote reply of Lextar
Add a Comment