Acknowledged

makeWebRequest not working on device with Let's Encrypt certificate

Hi,
I've been struggling the last day with getting my app to work on my device.

With a let's encrypt certificate it's working fine in the simulator, but on my Fenix 7 pro it's failing with error code 0.

I've tried different server configurations (both nginx and apache), but with no luck.

The nginx server config is setup with fullchain, and is getting "A" ranking on test tools. But maybe I'm still missing something.

It seems to me to be quite a widespread problem on garmin devices, and seems like something garmin should sort out (I would guess they are not trusting some part of the Let's encrypt chain), but I'm hoping that there is something I can do to sort it out myself, that does not include buying a $50/year premium cert for a toy app.

Parents
  • This has been raised in the past, and it was decided at that time that we would not support Let's Encrypt certificates. I'll create a new ticket and see if it's something that needs to be reconsidered, because I don't have much information about the reason(s) for the past decision.

Comment
  • This has been raised in the past, and it was decided at that time that we would not support Let's Encrypt certificates. I'll create a new ticket and see if it's something that needs to be reconsidered, because I don't have much information about the reason(s) for the past decision.

Children
  • I am able to get LE certs working just fine if manually including the less secure deprecated RSA key ciphers instead of more common/modern ECDSA style (which is default issued by LE and major CDN Cloudflare).

    I have serious concerns considering watches like Descent MK3 which just launched at the tail end of last year (2023) can't handle any of the standard ciphers that major providers like Cloudflare support? I imagine this will make development for anyone utilizing any site that has CF/CF Proxy extremely difficult if not handled soon. See bug report titled "makeWebRequest fails on patreon audio content download"

    Please keep us updated, or at least let us know you've acknowledged this is going to continue to become an increasingly big problem and plan to take action. Qualys SSL Labs won't even give websites a good rating if they leave RSA keys enabled on their certs at all. This leads me to believe more sites will gradually remove support (like Cloudflare has) and there will be a bunch of watches (as new as 2023 apparently) that effectively can't complete a basic makeWebRequest.

  • Thanks for raising the issue in your team. Do you have any estimate on when an update on the decision will be made? There seem to be a whole lot of issues related to this since the beginning of august. If it will not be fixed, I will have to implement some sort of proxy server myself, but any other way to resolve these SSL problems is very welcome!