Acknowledged
2 months ago

makeWebRequest not working on device with Let's Encrypt certificate

Hi,
I've been struggling the last day with getting my app to work on my device.

With a let's encrypt certificate it's working fine in the simulator, but on my Fenix 7 pro it's failing with error code 0.

I've tried different server configurations (both nginx and apache), but with no luck.

The nginx server config is setup with fullchain, and is getting "A" ranking on test tools. But maybe I'm still missing something.

It seems to me to be quite a widespread problem on garmin devices, and seems like something garmin should sort out (I would guess they are not trusting some part of the Let's encrypt chain), but I'm hoping that there is something I can do to sort it out myself, that does not include buying a $50/year premium cert for a toy app.

Andreas Tarandi
  • 11 days ago in reply to flocsy🤠

    Hi,

    I am facing this issue with my new Fenix 8 Solar, whereas on my Fenix 7 it was not an issue. Is there a new restirction being put in place with Fenix 7 pro and Fenix 8 that was not there with earlier devices? This fact renders my own app useless and I am wondering why such a great initiative like Let's Encrypt is blocked by Garmin. I don't think there is a difference between Let's Encrypt and other fee certificate issuers out there. In both cases you can get a free certificate and create milicious servers. So what is the point in giving that problems to your developers?

  • 25 days ago in reply to Brandon.ConnectIQ

    I am able to get LE certs working just fine if manually including the less secure deprecated RSA key ciphers instead of more common/modern ECDSA style (which is default issued by LE and major CDN Cloudflare).

    I have serious concerns considering watches like Descent MK3 which just launched at the tail end of last year (2023) can't handle any of the standard ciphers that major providers like Cloudflare support? I imagine this will make development for anyone utilizing any site that has CF/CF Proxy extremely difficult if not handled soon. See bug report titled "makeWebRequest fails on patreon audio content download"

    Please keep us updated, or at least let us know you've acknowledged this is going to continue to become an increasingly big problem and plan to take action. Qualys SSL Labs won't even give websites a good rating if they leave RSA keys enabled on their certs at all. This leads me to believe more sites will gradually remove support (like Cloudflare has) and there will be a bunch of watches (as new as 2023 apparently) that effectively can't complete a basic makeWebRequest.

  • 1 month ago in reply to Brandon.ConnectIQ

    Thanks for raising the issue in your team. Do you have any estimate on when an update on the decision will be made? There seem to be a whole lot of issues related to this since the beginning of august. If it will not be fixed, I will have to implement some sort of proxy server myself, but any other way to resolve these SSL problems is very welcome!

  • 2 months ago

    Hello,

    Garmin supports Let's Encrypt certificates. The issue is the ssl ciphers compatibility.

    Garmin never provided exact information on this topic, they said here (https://forums.garmin.com/developer/connect-iq/b/news-announcements/posts/the-real-devices-of-connect-iq-part-1) that they are compatible with TLSv1.2_2019 that is an aws ref here : https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html, but they are not, or not fully compatible.... today they say they are not compatible with letsencrypt... but they are.

    1 - Garmin is not compatible with ECDSA, if you generate a letsencrypt (or other) certificate you must generate a RSA certificate, (add a type option 'rsa 2048' when generating a letsencrypt certificate, by default since a few weeks letsencrypt certificates are ECDSA)

    2 - And not all RSA ciphers mentioned in TLSv1.2_2019 are supported by garmin. 

    this cipher configuration (nginx) provides compatibles ciphers (not saying all ciphers generated are compatible),

    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+RSA:@SECLEVEL=1;

    It's a shame Garmin never solved this compatibility issue either provided the right documentation or information.

    as a summary :

    - this is not a question of certificate organisation, any can work as soon as you generate a RSA certificate

    - you should configure your server to accept some old and deprecated ciphers to work with Garmin. Those ciphers are considered as unsecured, it's why most of the servers don't accept them and are no compatible with Garmin.

    - The issue was raised more than 2 years ago to Garmin, when they released the Garmin 7 (previous models don't have this restriction). Garmin didn't consider it as an issue ! They never updated the documentation !

    could you please update the doc ? I lost days because of this issue.

    thanks

  • 2 months ago

    This has been raised in the past, and it was decided at that time that we would not support Let's Encrypt certificates. I'll create a new ticket and see if it's something that needs to be reconsidered, because I don't have much information about the reason(s) for the past decision.