Complete
over 5 years ago

WERETECH-8281

Addressing this is going to be in the realm of our WiFi team, but it looks like this won't be on their radar for quite some time. As of right now, we are assuming this will not be addressed.

Simulator dislikes Let's Encrypt Certs?

I'm seeing the simulator return responseCode=0 for SSL requests that involve a Let's Encrypt SSL Certificate.

Comodo certs (which I used to use) seem to work fine as does a 'naked', non-SSL request.

This is occurring on a Mac / Mojave running CIQ 3.0.11.

The following test case demonstrates the issue:

using Toybox.Application;
using Toybox.Communications as Comm;
using Toybox.System;

class LetsEncryptSSLTestApp extends Application.AppBase {
    function initialize() {
        AppBase.initialize();
    }

    private function showResult(testName, responseCode) {
        //System.println("responseCode=" + responseCode);
        var status = (responseCode == 200) ? "OK" : "FAIL";
        System.println("[ " + status + " ] " + testName);
    }

    private function makeTestJSONRequest(url, callback) {
        //System.println("Making request to url=" + url);
        Comm.makeWebRequest(url, {}, {
            :method => Comm.HTTP_REQUEST_METHOD_GET,
            :headers => { "Content-Type" => Comm.REQUEST_CONTENT_TYPE_JSON },
            :responseType => Comm.HTTP_RESPONSE_CONTENT_TYPE_JSON
        },
        callback);
    }

    // TEST 1: Test w/ Comodo SSL Cert
    // Success
    function onTestComodoSSLCertResponse(responseCode, data) {
        self.showResult("testComodoSSLCert", responseCode);
        self.testLetsEncryptSSLCert();
    }

    function testComodoSSLCert() {
        self.makeTestJSONRequest("https://reqres.in/api/users/2",
                                 self.method(:onTestComodoSSLCertResponse));
    }

    // TEST 2: Test using Let's Encrypt SSL Cert
    //
    // Fails in simulator
    // Succeeds in curl
    function onTestLetsEncryptSSLCertResponse(responseCode, data) {
        self.showResult("testLetsEncryptSSLCert", responseCode);
        self.testWithoutLetsEncryptSSLCert();
    }

    function testLetsEncryptSSLCert() {
        self.makeTestJSONRequest("https://www.mocky.io/v2/5cf44057330000585d75865a",
                                 self.method(:onTestLetsEncryptSSLCertResponse));
    }

    // TEST 3: Same endpoint as TEST 2 but w/o SSL
    //
    // Succeeds in simulator
    function onTestWithoutLetsEncryptSSLCertResponse(responseCode, data) {
        self.showResult("testWithoutLetsEncryptSSLCert", responseCode);
    }

    function testWithoutLetsEncryptSSLCert() {
        self.makeTestJSONRequest("http://www.mocky.io/v2/5cf44057330000585d75865a",
                                 self.method(:onTestWithoutLetsEncryptSSLCertResponse));
    }

    // onStart() is called on application start up
    function onStart(state) {
        self.testComodoSSLCert();
    }

    // onStop() is called when your application is exiting
    function onStop(state) {
    }

    // Return the initial view of your application here
    function getInitialView() {
        return [ new LetsEncryptSSLTestView() ];
    }
}
rconradharris
Parents Comment Children
  • over 5 years ago in reply to rconradharris

    A little more information here... If I download the latest trusted CA certificates from Mozilla, I can access reqres.io without error, but continue to get security warnings for mocky.io.

    [ 1:25:47.67] C:\Users\vitek\Desktop>curl --insecure -o cacert.pem https://curl.haxx.se/ca/cacert.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  220k  100  220k    0     0   588k      0 --:--:-- --:--:-- --:--:--  588k

[ 1:28:39.82] C:\Users\vitek\Desktop>curl --cacert cacert.pem https://www.mocky.io/v2/5cf44057330000585d75865a
curl: (35) Unknown SSL protocol error in connection to www.mocky.io:443

[ 1:29:05.72] C:\Users\vitek\Desktop>curl --cacert cacert.pem https://reqres.in/api/users/2
{"data":{"id":2,"email":"[email protected]","first_name":"Janet","last_name":"Weaver","avatar":"https://s3.amazonaws.com/uifaces/faces/twitter/josephstein/128.jpg"}}

  • over 5 years ago in reply to rconradharris

    The lock icon being show in in Chrome/Safari/... doesn't necessarily mean the certificate chain provided by the server is complete or valid. All that it means is that the certificate chain was deep enough that a trusted certificate was found in the browsers trusted certificate store. When you use Chrome/Safari/..., the browser's certificate store is likely to contain trusted CA certificates for both Let's Encrypt and Comodo, so everything works out. But when you use the simulator, it probably uses a different certificate store which doesn't include the Let's Encrypt CA certificate.

    I'm not done looking into this, but my guess is that one of the libraries we are using is using a certificate store that is simply out-of-date and needs a refresh.