Acknowledged
2 months ago

makeWebRequest not working on device with Let's Encrypt certificate

Hi,
I've been struggling the last day with getting my app to work on my device.

With a let's encrypt certificate it's working fine in the simulator, but on my Fenix 7 pro it's failing with error code 0.

I've tried different server configurations (both nginx and apache), but with no luck.

The nginx server config is setup with fullchain, and is getting "A" ranking on test tools. But maybe I'm still missing something.

It seems to me to be quite a widespread problem on garmin devices, and seems like something garmin should sort out (I would guess they are not trusting some part of the Let's encrypt chain), but I'm hoping that there is something I can do to sort it out myself, that does not include buying a $50/year premium cert for a toy app.

Andreas Tarandi
Parents
  • 25 days ago in reply to Brandon.ConnectIQ

    I am able to get LE certs working just fine if manually including the less secure deprecated RSA key ciphers instead of more common/modern ECDSA style (which is default issued by LE and major CDN Cloudflare).

    I have serious concerns considering watches like Descent MK3 which just launched at the tail end of last year (2023) can't handle any of the standard ciphers that major providers like Cloudflare support? I imagine this will make development for anyone utilizing any site that has CF/CF Proxy extremely difficult if not handled soon. See bug report titled "makeWebRequest fails on patreon audio content download"

    Please keep us updated, or at least let us know you've acknowledged this is going to continue to become an increasingly big problem and plan to take action. Qualys SSL Labs won't even give websites a good rating if they leave RSA keys enabled on their certs at all. This leads me to believe more sites will gradually remove support (like Cloudflare has) and there will be a bunch of watches (as new as 2023 apparently) that effectively can't complete a basic makeWebRequest.

Comment
  • 25 days ago in reply to Brandon.ConnectIQ

    I am able to get LE certs working just fine if manually including the less secure deprecated RSA key ciphers instead of more common/modern ECDSA style (which is default issued by LE and major CDN Cloudflare).

    I have serious concerns considering watches like Descent MK3 which just launched at the tail end of last year (2023) can't handle any of the standard ciphers that major providers like Cloudflare support? I imagine this will make development for anyone utilizing any site that has CF/CF Proxy extremely difficult if not handled soon. See bug report titled "makeWebRequest fails on patreon audio content download"

    Please keep us updated, or at least let us know you've acknowledged this is going to continue to become an increasingly big problem and plan to take action. Qualys SSL Labs won't even give websites a good rating if they leave RSA keys enabled on their certs at all. This leads me to believe more sites will gradually remove support (like Cloudflare has) and there will be a bunch of watches (as new as 2023 apparently) that effectively can't complete a basic makeWebRequest.

Children
No Data