Acknowledged

makeWebRequest not working on device with Let's Encrypt certificate

Hi,
I've been struggling the last day with getting my app to work on my device.

With a let's encrypt certificate it's working fine in the simulator, but on my Fenix 7 pro it's failing with error code 0.

I've tried different server configurations (both nginx and apache), but with no luck.

The nginx server config is setup with fullchain, and is getting "A" ranking on test tools. But maybe I'm still missing something.

It seems to me to be quite a widespread problem on garmin devices, and seems like something garmin should sort out (I would guess they are not trusting some part of the Let's encrypt chain), but I'm hoping that there is something I can do to sort it out myself, that does not include buying a $50/year premium cert for a toy app.

Parents
  • Hello,

    Garmin supports Let's Encrypt certificates. The issue is the ssl ciphers compatibility.

    Garmin never provided exact information on this topic, they said here (https://forums.garmin.com/developer/connect-iq/b/news-announcements/posts/the-real-devices-of-connect-iq-part-1) that they are compatible with TLSv1.2_2019 that is an aws ref here : https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html, but they are not, or not fully compatible.... today they say they are not compatible with letsencrypt... but they are.

    1 - Garmin is not compatible with ECDSA, if you generate a letsencrypt (or other) certificate you must generate a RSA certificate, (add a type option 'rsa 2048' when generating a letsencrypt certificate, by default since a few weeks letsencrypt certificates are ECDSA)

    2 - And not all RSA ciphers mentioned in TLSv1.2_2019 are supported by garmin. 

    this cipher configuration (nginx) provides compatibles ciphers (not saying all ciphers generated are compatible),

    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+RSA:@SECLEVEL=1;

    It's a shame Garmin never solved this compatibility issue either provided the right documentation or information.

    as a summary :

    - this is not a question of certificate organisation, any can work as soon as you generate a RSA certificate

    - you should configure your server to accept some old and deprecated ciphers to work with Garmin. Those ciphers are considered as unsecured, it's why most of the servers don't accept them and are no compatible with Garmin.

    - The issue was raised more than 2 years ago to Garmin, when they released the Garmin 7 (previous models don't have this restriction). Garmin didn't consider it as an issue ! They never updated the documentation !

    could you please update the doc ? I lost days because of this issue.

    thanks

Comment
  • Hello,

    Garmin supports Let's Encrypt certificates. The issue is the ssl ciphers compatibility.

    Garmin never provided exact information on this topic, they said here (https://forums.garmin.com/developer/connect-iq/b/news-announcements/posts/the-real-devices-of-connect-iq-part-1) that they are compatible with TLSv1.2_2019 that is an aws ref here : https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html, but they are not, or not fully compatible.... today they say they are not compatible with letsencrypt... but they are.

    1 - Garmin is not compatible with ECDSA, if you generate a letsencrypt (or other) certificate you must generate a RSA certificate, (add a type option 'rsa 2048' when generating a letsencrypt certificate, by default since a few weeks letsencrypt certificates are ECDSA)

    2 - And not all RSA ciphers mentioned in TLSv1.2_2019 are supported by garmin. 

    this cipher configuration (nginx) provides compatibles ciphers (not saying all ciphers generated are compatible),

    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+RSA:@SECLEVEL=1;

    It's a shame Garmin never solved this compatibility issue either provided the right documentation or information.

    as a summary :

    - this is not a question of certificate organisation, any can work as soon as you generate a RSA certificate

    - you should configure your server to accept some old and deprecated ciphers to work with Garmin. Those ciphers are considered as unsecured, it's why most of the servers don't accept them and are no compatible with Garmin.

    - The issue was raised more than 2 years ago to Garmin, when they released the Garmin 7 (previous models don't have this restriction). Garmin didn't consider it as an issue ! They never updated the documentation !

    could you please update the doc ? I lost days because of this issue.

    thanks

Children
No Data