Through previously written inquiries, we have confirmed that there is no fixed IP and that the validity of web hooks is verified through hmac verification.
However, in order to check the X-Shopify-Hmac-SHA256 value included in the header, it is only possible for requests that have passed through the firewall according to the company policy. Even with dynamic IP, some range is expected to exist, but I would like to ask if it is difficult to check the range itself.
Hey @user160 - You’re right that there’s no fixed IP range for webhook delivery so IP-based whitelisting isn’t really an option here. HMAC validation is the intended approach for verifying webhook authenticity.
I do understand the challenge though and briefly looked into some alternatives - a few directions worth exploring with your network team:
The right solution will depend on your specific setup and what your security policies allow, but the above options could be worth exploring
Thank you for your answer.
In addition, there is a problem that is occurring during the Webhook- related inspection process in the app distribution process.
May I know what the case is when the TLS certificate error occurs?
A few things to consider for this error:
First, verify the app URL you’ve set in Partner Dashboard exactly matches the hostname your server responds on - including any www or subdomain prefixes. If your cert is for example.com but your app URL is www.example.com (or vice versa), that’ll fail.
Second, run your app’s hostname through SSL Checker to confirm the certificate is valid and properly installed. This will show you exactly what domains the cert covers and flag any chain issues.
Also worth noting - self-signed certificates won’t work here. You need a cert from a trusted Certificate Authority (Let’s Encrypt is free and works fine).
If you recently made infrastructure changes related to the firewall/IP situation from your earlier question, double-check those didn’t inadvertently change how traffic routes to your server or affect your certificate setup.
As you said, when I checked through the ssl checker, it seems to be checked normally as below.
What page do you mean by “partner dashboard”?
Is it a different concept from the Dev dashboard? Is it a problem to see it as below? I wonder which items I need to match exactly.
(There is an error when accessing the dev dashboard as follows.)
Please check the above again.
@Donal-Shopify
To share additional confirmation information, the SSL certificate is being verified in the path you set up for webhook. I’m attaching a photo related to it, so please check it together.
Hey @user160 - thanks for sharing those screenshots.
When an SSL checker looks OK but automated checks suggest a TLS/cert error, the most common causes are:
The hostname you configured (for the webhook/app URL) doesn’t exactly match the certificate coverage (SANs), or the server is conditionally presenting a different cert
An intermediate certificate is missing in the chain your server presents (some tools still show “OK” if they can fetch missing intermediates)
A firewall / proxy (you mentioned using one) is doing TLS interception and presenting an internal CA-signed certificate to some clients
The endpoint returns a non-2xx response (your screenshot shows 403), and Shopify treats any non-2xx as a failed delivery
To try and confirm the exact cause, you can do the following
From a machine outside the corporate network, run: openssl s_client -connect <hostname>:443 -servername <hostname> -showcerts and confirm the leaf certificate CN/SANs include the exact hostname, and that the full chain is sent.
Confirm the webhook endpoint path responds with a fast 2xx to a simple POST (even before your app logic runs). If the firewall blocks the request and returns 403 before it reaches your app, Shopify will treat that as a delivery failure.
If you run the two checks above and still can’t spot the cause, then the next best step is to contact Support via the Shopify Help Center and share the openssl s_client output + the exact error you’re seeing there (privately) so we can help confirm what Shopify is seeing during validation.
