Client certificate authentication

[mclei]

Is it possible to use client certificate for the client authentication? I have a internet accessible HA instance with proper Let's Encrypt certificate, but the https proxy requires client certificate to allow access. I have not found any info about installing a certificate on the Garmin watches or reusing certificates installed on the Android. I can access the web from Android phone after installing the certificate on it.

[philipabbey]

This is a bit left field!

You can't install certificates on the watch as far as I know. Assume all HTTPS traffic goes through your phone. Usually I say that if your phone can access the URL, then the watch can.

Let's Encrypt certificate, but the https proxy requires client certificate to allow access.

Let's Encrypt certificates are already in a chain of trust with a browser being able to verify that. You should not need to be installing any certificates for Let's Encrypt, so don't. Sounds like the probem is with your proxy setup, or you've not installed the correct certificate. I know it should work as that's what we use.

Good luck!

[eldadh]

hello, I think the idea is that the phone part of the app with be initiating the client certificate authentication. From what i understand, the phone initiates the https session to the HA. therefore if the phone can make a client certificate based connection it should work. i did try to redirect the URL to a client cert based one but it didnt work.

I too would appreciate this feature request. thnx

[philipabbey]

There is no feature to implement here.

You've described the mechanism, and your description shows there is no additional part the GHA app can play.

You don't need any addition mechanism for your solution, you just need to sort out your certificates. I am aware that others have got this to work just fine, e.g. by playing with DNS. See other sources of help, e.g HA forums. https://community.home-assistant.io/t/home-assistant-app-for-garmin/637348

It is impossible for us to support you as we cannot get hands on your setup. Nor is it really our remit to provide such specialised advice on a setup peculiar to only you.

Sorry, but I think you need to understand your technical problem more throughly.

[mclei]

Hi Philip,

Sorry, but I think you need to understand your technical problem more throughly. Maybe you have not understood my problem correctly. It is not about server certificate trust. I understand that HA instance must have a server certificate, that is trusted by the Android system. I have a server certificate from Let's Encrypt.

My problem is with client certificate authentication. My HA instance is secured by client certificates. It means, that the client must provide a prove that it owns a client certificate when it is establishing the HTTPS connection. And I have imported the client certificate under user certificates on my Android device and native HomeAssistant application correctly uses it when accessing my HA instance (it asks which certificate to use on first connect and remembers the chosen one).

So what I want to say, the HomeAssistat application on my phone correctly uses the client certificate, while the Garmin application connected through the same phone does not work use that certificate. I think it must actively say to use a client certificate when establishing the connection. And I don't know whether it should be done transparently by the Garmin Connect application, or whether you are directly establishing HTTP connection from the watches. In the second case, the watches application must have a way to import and use the client certificate.

[philipabbey]

As you will see from the message trail, we both agree that the HTTPS is done through the phone, and if the phone can see a URL, so should a Garmin app. We both understand this.

I have also told you there is nothing I can do with certificates in the Garmin ConnectIQ SDK. So if there is nothing I can change in my code, there is nothing to do under this now closed issue.

If you don't believe me (as it appears) then please show (by URL) me which API call you think I should be using for you solution.

Now, I've also alluded to certificate solutions for you. Let's Encrypt can be made to work. We've done it, others has messed with DNS and got the chain off trust working locally. I think you are on the wrong line of thinking pursuing getting a local trust to work. Good luck with that, I can't support you, and I really don't think I can change the app to mess with certificates as you are asking.

So you have no choice now but to pursue a solution with Let's Encrypt chain of trust without a locally installed certificate. As I said before, others have managed this. The solution is out there. Its probably quite independent of anything Garmin related.

Please don't ask me to do something when there is no API call in the SDK to cover it.

[Someone0nEarth]

Hi @mclei ,

like @philipabbey is trying to tell you, at the current state of the GarminIQ, there is no possible way to use client-certs for authentication. GarminIQ is really stric and limited regarding web requests: Couple of years ago, they even retricted GarminIQ more ("plain" HTTP connections weren't longer supported). Although, self-signed certs for HTTPS are not working, too (even when they installed properly on your phone). The only solution I see for you, is to bypass your https-proxy authentication for your Garmin ConnectIQ device, so, that it has a direct access to your HA instance using your LE cert for HTTPS.