Sandbox App Store receipt cannot be refreshed because auth-sandbox.itunes.apple.com has an invalid certificate

When trying to refresh a sandbox receipt of my macOS app by using exit(173), storekitd on macOS Sonoma 14.1 logs the following (German) error:

fehler	18:32:58.421785+0100	storekitagent	com.(redacted): Failed to renew receipt for exit(173): Error Domain=AMSErrorDomain Code=100 "Authentication Failed" UserInfo={NSMultipleUnderlyingErrorsKey=(```
    "Error Domain=AMSErrorDomain Code=2 \"Ein unbekannter Fehler ist aufgetreten. Versuche es erneut.\" UserInfo={NSLocalizedDescription=Ein unbekannter Fehler ist aufgetreten. Versuche es erneut.}",
    "Error Domain=NSURLErrorDomain Code=-1202 \"Das Zertifikat f\U00fcr diesen Server ist ung\U00fcltig. Eventuell wird eine Verbindung mit einem Server hergestellt, der vorgibt, \U201eauth-sandbox.itunes.apple.com\U201c zu sein und vertrauliche Daten gef\U00e4hrdet.\" UserInfo={NSLocalizedRecoverySuggestion=Soll die Verbindung zum Server trotzdem hergestellt werden?, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9843, NSErrorPeerCertificateChainKey=(\n    \"<cert(0x14f033000) s: daiquiri-ext.itunes.apple.com i: Apple Public EV Server RSA CA 2 - G1>\",\n    \"<cert(0x14f01d000) s: Apple Public EV Server RSA CA 2 - G1 i: DigiCert High Assurance EV Root CA>\",\n``

The error translates to:

The certificate for this server is invalid. A connection may be established with a server pretending to be "auth-sandbox.itunes.apple.com" and compromising confidential data.

The certificate returned by the sandbox auth server seems to be for daiquiri-ext.itunes.apple.com and not valid for auth-sandbox.itunes.apple.com.

When I try to enter https://auth-sandbox.itunes.apple.com in Safari, it tells me that it cannot establish a secure connection to the server.

curl -v https://auth-sandbox.itunes.apple.com logs this:

* Connected to auth-sandbox.itunes.apple.com (17.36.202.9) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: businessCategory=Private Organization; jurisdictionCountryName=US; jurisdictionStateOrProvinceName=California; serialNumber=C0806592; C=US; ST=California; L=Cupertino; O=Apple Inc.; CN=daiquiri-ext.itunes.apple.com
*  start date: Aug 28 18:07:16 2023 GMT
*  expire date: Dec 30 18:17:16 2023 GMT
*  subjectAltName does not match auth-sandbox.itunes.apple.com
* SSL: no alternative certificate subject name matches target host name 'auth-sandbox.itunes.apple.com'
* Closing connection 0
curl: (60) SSL: no alternative certificate subject name matches target host name 'auth-sandbox.itunes.apple.com'

We have the same issue all day without resolve. iOS sandbox works fine, macOS sandbox returns this error on authentication attempt.

My DTS request was closed telling me "Please submit a complete bug report regarding this issue using Feedback Assistant".

Of course I did that before contacting developer technical support and the feedback id number was included in the DTS form (FB13353908).

I hope this gets resolved soon.

I could just successfully refresh the sandbox app store receipt of my Mac app. Yay!

I didn't try it for a few days, so I'm not sure when it started working again.

https://auth-sandbox.itunes.apple.com still returns an invalid SSL certificate for me, so maybe that was not the root cause after all.

Sandbox App Store receipt cannot be refreshed because auth-sandbox.itunes.apple.com has an invalid certificate
 
 
Q