makeWebRequest not working on device with Let's Encrypt certificate

Hello,

Garmin supports Let's Encrypt certificates. The issue is the ssl ciphers compatibility.

Garmin never provided exact information on this topic, they said here (https://forums.garmin.com/developer/connect-iq/b/news-announcements/posts/the-real-devices-of-connect-iq-part-1) that they are compatible with TLSv1.2_2019 that is an aws ref here : https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html, but they are not, or not fully compatible.... today they say they are not compatible with letsencrypt... but they are.

1 - Garmin is not compatible with ECDSA, if you generate a letsencrypt (or other) certificate you must generate a RSA certificate, (add a type option 'rsa 2048' when generating a letsencrypt certificate, by default since a few weeks letsencrypt certificates are ECDSA)

2 - And not all RSA ciphers mentioned in TLSv1.2_2019 are supported by garmin. 

this cipher configuration (nginx) provides compatibles ciphers (not saying all ciphers generated are compatible),

ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+RSA:@SECLEVEL=1;

It's a shame Garmin never solved this compatibility issue either provided the right documentation or information.

as a summary :

- this is not a question of certificate organisation, any can work as soon as you generate a RSA certificate

- you should configure your server to accept some old and deprecated ciphers to work with Garmin. Those ciphers are considered as unsecured, it's why most of the servers don't accept them and are no compatible with Garmin.

- The issue was raised more than 2 years ago to Garmin, when they released the Garmin 7 (previous models don't have this restriction). Garmin didn't consider it as an issue ! They never updated the documentation !

Brandon.ConnectIQ could you please update the doc ? I lost days because of this issue.

thanks

Hello,

Garmin supports Let's Encrypt certificates. The issue is the ssl ciphers compatibility.

Garmin never provided exact information on this topic, they said here (https://forums.garmin.com/developer/connect-iq/b/news-announcements/posts/the-real-devices-of-connect-iq-part-1) that they are compatible with TLSv1.2_2019 that is an aws ref here : https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html, but they are not, or not fully compatible.... today they say they are not compatible with letsencrypt... but they are.

1 - Garmin is not compatible with ECDSA, if you generate a letsencrypt (or other) certificate you must generate a RSA certificate, (add a type option 'rsa 2048' when generating a letsencrypt certificate, by default since a few weeks letsencrypt certificates are ECDSA)

2 - And not all RSA ciphers mentioned in TLSv1.2_2019 are supported by garmin. 

this cipher configuration (nginx) provides compatibles ciphers (not saying all ciphers generated are compatible),

ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+RSA:@SECLEVEL=1;

It's a shame Garmin never solved this compatibility issue either provided the right documentation or information.

as a summary :

- this is not a question of certificate organisation, any can work as soon as you generate a RSA certificate

- you should configure your server to accept some old and deprecated ciphers to work with Garmin. Those ciphers are considered as unsecured, it's why most of the servers don't accept them and are no compatible with Garmin.

- The issue was raised more than 2 years ago to Garmin, when they released the Garmin 7 (previous models don't have this restriction). Garmin didn't consider it as an issue ! They never updated the documentation !

Brandon.ConnectIQ could you please update the doc ? I lost days because of this issue.

thanks