Complete
over 5 years ago

WERETECH-8281

Addressing this is going to be in the realm of our WiFi team, but it looks like this won't be on their radar for quite some time. As of right now, we are assuming this will not be addressed.

Simulator dislikes Let's Encrypt Certs?

I'm seeing the simulator return responseCode=0 for SSL requests that involve a Let's Encrypt SSL Certificate.

Comodo certs (which I used to use) seem to work fine as does a 'naked', non-SSL request.

This is occurring on a Mac / Mojave running CIQ 3.0.11.

The following test case demonstrates the issue:

using Toybox.Application;
using Toybox.Communications as Comm;
using Toybox.System;

class LetsEncryptSSLTestApp extends Application.AppBase {
    function initialize() {
        AppBase.initialize();
    }

    private function showResult(testName, responseCode) {
        //System.println("responseCode=" + responseCode);
        var status = (responseCode == 200) ? "OK" : "FAIL";
        System.println("[ " + status + " ] " + testName);
    }

    private function makeTestJSONRequest(url, callback) {
        //System.println("Making request to url=" + url);
        Comm.makeWebRequest(url, {}, {
            :method => Comm.HTTP_REQUEST_METHOD_GET,
            :headers => { "Content-Type" => Comm.REQUEST_CONTENT_TYPE_JSON },
            :responseType => Comm.HTTP_RESPONSE_CONTENT_TYPE_JSON
        },
        callback);
    }

    // TEST 1: Test w/ Comodo SSL Cert
    // Success
    function onTestComodoSSLCertResponse(responseCode, data) {
        self.showResult("testComodoSSLCert", responseCode);
        self.testLetsEncryptSSLCert();
    }

    function testComodoSSLCert() {
        self.makeTestJSONRequest("https://reqres.in/api/users/2",
                                 self.method(:onTestComodoSSLCertResponse));
    }

    // TEST 2: Test using Let's Encrypt SSL Cert
    //
    // Fails in simulator
    // Succeeds in curl
    function onTestLetsEncryptSSLCertResponse(responseCode, data) {
        self.showResult("testLetsEncryptSSLCert", responseCode);
        self.testWithoutLetsEncryptSSLCert();
    }

    function testLetsEncryptSSLCert() {
        self.makeTestJSONRequest("https://www.mocky.io/v2/5cf44057330000585d75865a",
                                 self.method(:onTestLetsEncryptSSLCertResponse));
    }

    // TEST 3: Same endpoint as TEST 2 but w/o SSL
    //
    // Succeeds in simulator
    function onTestWithoutLetsEncryptSSLCertResponse(responseCode, data) {
        self.showResult("testWithoutLetsEncryptSSLCert", responseCode);
    }

    function testWithoutLetsEncryptSSLCert() {
        self.makeTestJSONRequest("http://www.mocky.io/v2/5cf44057330000585d75865a",
                                 self.method(:onTestWithoutLetsEncryptSSLCertResponse));
    }

    // onStart() is called on application start up
    function onStart(state) {
        self.testComodoSSLCert();
    }

    // onStop() is called when your application is exiting
    function onStop(state) {
    }

    // Return the initial view of your application here
    function getInitialView() {
        return [ new LetsEncryptSSLTestView() ];
    }
}
rconradharris
  • 7 months ago

    Issue still seems to be present - I have one server with Let's Encrypt certificate that works in the simulator, and another one that does not. On my watch both work.

  • over 5 years ago in reply to Travis.ConnectIQ

    Hmm, I don't run any of those servers so not sure if anything has changed server-side.

  • over 5 years ago in reply to Travis.ConnectIQ

    Sorry.. To be clear, this was tested with a Windows10 PC. I'll fire up the Mac tomorrow to test that.

  • over 5 years ago

    I ran the above code under a 3.1.0.beta3 SDK, and it displayed

    [ OK ] testComodoSSLCert
[ OK ] testLetsEncryptSSLCert
[ FAIL ] testWithoutLetsEncryptSSLCert

    Without killing the simulator, I set the Settings > Use Device HTTPS Requirements, and ran it again. This time I got the following result:

    [ OK ] testComodoSSLCert
[ OK ] testLetsEncryptSSLCert
[ OK ] testWithoutLetsEncryptSSLCert

    Has something changed with the server-side configuration?

  • over 5 years ago in reply to rconradharris

    A little more information here... If I download the latest trusted CA certificates from Mozilla, I can access reqres.io without error, but continue to get security warnings for mocky.io.

    [ 1:25:47.67] C:\Users\vitek\Desktop>curl --insecure -o cacert.pem https://curl.haxx.se/ca/cacert.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  220k  100  220k    0     0   588k      0 --:--:-- --:--:-- --:--:--  588k

[ 1:28:39.82] C:\Users\vitek\Desktop>curl --cacert cacert.pem https://www.mocky.io/v2/5cf44057330000585d75865a
curl: (35) Unknown SSL protocol error in connection to www.mocky.io:443

[ 1:29:05.72] C:\Users\vitek\Desktop>curl --cacert cacert.pem https://reqres.in/api/users/2
{"data":{"id":2,"email":"[email protected]","first_name":"Janet","last_name":"Weaver","avatar":"https://s3.amazonaws.com/uifaces/faces/twitter/josephstein/128.jpg"}}