Trouble-shooting Shopify Webhooks and SSL Certificates

I have a number of clients that use Shopify for their e-commerce stores. It’s a great platform for 90% of online store needs, but my customers often come to me because they need their store to do something that the service doesn’t quite do out of the box, whether that’s integrating with another service, updating order notes with specific in-house codes or generating documents on-the-fly to send to a manufacturer elsewhere.

When possible I like to implement solutions that are minimally invasive and maximally effective. With Shopify that often means integrating with their webhook API. Most of the time we’ve been able to accomplish what they need with this approach.

As of September 25, 2017 Shopify verifies the SSL certificate of webhook addresses served over https. This means you’ll need to make sure your SSL certificate is setup correctly!

Generally this is not a problem, but with one client I was surprised to discover that Shopify’s verification process is less lenient than the average browser. The SSL certificate had been setup ages ago and looked fine in the browser, but the webhook suddenly started throwing errors around this date.

Long-story short, if you can score a “B” or higher on this SSL Server Test tool from Qualys, you should be fine:

The problem specific to my project was in incorrectly setup CA Bundle. The file was supposed to contain the root and intermediate certificates bundled (as the name implies) together into a single certificate, but they were in the wrong order. The browsers didn’t seem to mind or care, but whatever process Shopify uses to validate the certificate was more strict.

For further reference, the lines in the Apache site configuration file invoking these certificates looked like this:

SSLCertificateFile /etc/ssl/private/domain.crt SSLCertificateKeyFile /etc/ssl/private/domain.key SSLCertificateChainFile /etc/ssl/private/

Hopefully this information helps anyone else trying to troubleshoot inscrutable Shopify webhook errors related to SSL issues.

. Find a typo?

Recently written: