Hi Gordon,

In addition to this issue, my team is also facing a SSLHandshakeException error our subscription notifications, after renewing our SSL cert which is issued with SSL root CA 2022. Could we please check if it is possible for Fitbit to import this root CA in your JVM trust store in order to support this? Thank you.

Hi @hi_SG 

Would you please explain what you mean by receiving a "SSLHandshakeException error our subscription notifications".  What is your application/subscriber doing when you receive the error?  Is the error occurring instead of receiving the notification?

Hi @hi_SG 

We should still be sending the email notifications when the subscriber is disabled.   Would you please provide me with your client ID so I can investigate the reason you are not receiving the notification?

Hi Gordon,

This is the error that we see in our subscriber stats https://dev.fitbit.com/apps/subscriberstats/xxx, we are receiving this SSLHandshakeException:

We had to revert our SSL cert back to use SSL root CA 2012 in order to fix this:

However, we will need to renew the SSL cert to use SSL root CA 2022 by tomorrow, and will need Fitbit to import this SSL root CA 2022 in your JVM trust store to support this. Is this possible?

Regarding the email notifications, my client ID is 22BQR5. 

Let me check with engineering to see if we can support SSL root CA 2022.

Thanks Gordon, do let us know the approximate timeline as well. Thank you!

1. FYI, the subscription went down again today as of 3.57pm (after our team updated the SSL cert again), but we did not receive an email notification again. I am unable to attach the screenshot for some reason, but the error message is the same: "SSLHandshakeException".

2. Do update us on the progress for supporting SSL root CA 2022, thank you!

Hi Gordon, any updates on this? Thanks!

Hi Gordon, following up on the status of this matter as it has become increasingly pressing for us. Could you please provide an update at your earliest convenience?

Hi @hi_SG 

Thank you for your patience.   We're still investigating the cause.  The functionality is still supported, so we're trying to determine why the emails are not being sent.

Hi @Gordon-C,

Following up on the urgent issue of supporting SSL root CA 2022, could you please update us on any progress on this?

Hi @hi_SG 

I'm still trying to get an answer for you.  We're having to reach out to several teams to figure out the problem.

Hi @hi_SG 

I'm being asked for more information from you.   Would you please provide the following information?

• Is the CA bundle configured on your servers or are you starting mTLS using a certificate signed by root CA?
• What is the link to the root certificate bundle that you're using?
• Are you getting the error when verifying the subscriber or just when webhook notifications are being received by your subscriber?
• Is your subscriber configured for TLSv1.2 or another version?  
• Are you using TLS+SNI?
• Are your certificates self-signed?

Thanks!

Hi @GordonFitbit, here are our replies to the following questions:

Q: Is the CA bundle configured on your servers or are you starting mTLS using a certificate signed by root CA?
A: No, it's just a standard SSL certificate.

Q: What is the link to the root certificate bundle that you're using?
A: You can check the certificate chain by visiting: https://api.hpb.gov.sg

Q: Are you getting the error when verifying the subscriber or just when webhook notifications are being received by your subscriber?
A: The error only occurs during webhook notifications. The subscriber verification was done a long time ago using a different SSL certificate.

Q: Is your subscriber configured for TLSv1.2 or another version?
A: TLSv1.2

Q: Are you using TLS+SNI?
A: No

Q: Are your certificates self-signed?
A: No

Thanks!

Hi @GordonFitbit,

To follow up on question: What is the link to the root certificate bundle that you're using? You can refer to the following link instead: https://www.ssl.com/repository

Do let us know if you need any further clarifications!

hi @hi_SG 

Would you please re-enable your subscriber so we can get fresh errors in our logs?  Please let me know what timing the errors are occuring.

Thank you!

Hi @GordonFitbit, 

We have re-enabled our subscriber. After refreshing, the errors are coming in from the moment we re-enabled our subscriber at around 13th March 2025  03:15:07:000 +0000.

Thank you!