[BUG] No remote movie can be played on Immich Mobile using a Self Signed CA and a proxy in front of IMMICH server/microservices #1744

New Issue

Closed

opened 2026-02-05 03:27:20 +03:00 by OVERLORD · 83 comments

OVERLORD commented 2026-02-05 03:27:20 +03:00

Owner

Copy Link

Originally created by @amitrea on GitHub (Dec 8, 2023).

The bug

Please NOTICE
This is NOT an issue of transcoding. Please read well the thread.
This is SSL issue related to flutter videoplayer that IMMICH mobile app is using to play remote videos on Android mobile.
Trusted Self signed certificates (registered in Android) should be valid also for playing videos as it is for images or other API calls to IMMICH server.

I cleanly install Immich mobile on two Android phones (Samsung & Huawei - no relevance as long as it worked on previous versions of Immich Mobile 1.89.0).
On one phone I had it already installed, version 1.89.0. I cleanup cache and data for Immich Mobile App and then re-authenticated.
On the second phone I installed for the first time.
Movies don't play on both mobile devices in Android Immich App.

All images and movies previews looks OK. Seeing a full picture works. Playing an existing movie doesn't work. It is stuck on loading the stream. I tried random movies and have the same issue.

Previous to version 1.89.0 I could play movies. I remember that I didn't tried to play a movie with version 1.89.0, but for sure with the previous versions.

In Immich Mobile logs I could not find any INFO, WARNING or ERROR.
On the server side (server or microservices) no INFO, WARNING or ERROR.

On Immich Web (mobile or desktop browser) playing movies works fine.

The OS that Immich Server is running on

Fedora 38

Version of Immich Server

v1.90.1

Version of Immich Mobile App

v1.90.0

Platform with the issue

• Server
• Web
• Mobile

Your docker-compose.yml content

N/A (Everything works fine on Web)

Your .env content

N/A (Everything works fine on Web)

Reproduction steps

Please see in the description.

Additional information

Please note I am using my own PKI. I have installed the private root CA into Android (User Certificates), so it's in trust store of Android. I checked this in every browser I have on my mobile to see if my ROOT CA certificate is considers, and indeed no more SSL warnings/errors.

In Immich App I enabled Self-Signed cert. All functionality except videoplayer flutter plugin is working fine.
It seems that the videoplayer plugin uses its own SSLSocket.

I saw the error message in Caddy: Unknown certificate but only when I try to play a movie. For the rest of Immich API calls I do not get SSL error.

For more info please check a bit the code for videoplayer flutter plugin here.

In my opinion Immich should trust as well the certificates user adds in Android trust store and probably no need to specify "Allow Self Signed Certificates". This option is a security issue - to trust every Self Signed Certificate. This could be an option only in a DEV environment.

Originally created by @amitrea on GitHub (Dec 8, 2023). ### The bug **Please NOTICE** This is NOT an issue of transcoding. Please read well the thread. This is SSL issue related to flutter videoplayer that IMMICH mobile app is using to play remote videos on Android mobile. Trusted Self signed certificates (registered in Android) should be valid also for playing videos as it is for images or other API calls to IMMICH server. I cleanly install Immich mobile on two Android phones (Samsung & Huawei - no relevance as long as it worked on previous versions of Immich Mobile 1.89.0). On one phone I had it already installed, version 1.89.0. I cleanup cache and data for Immich Mobile App and then re-authenticated. On the second phone I installed for the first time. Movies don't play on both mobile devices in Android Immich App. All images and movies previews looks OK. Seeing a full picture works. Playing an existing movie doesn't work. It is stuck on loading the stream. I tried random movies and have the same issue. Previous to version 1.89.0 I could play movies. I remember that I didn't tried to play a movie with version 1.89.0, but for sure with the previous versions. In Immich Mobile logs I could not find any INFO, WARNING or ERROR. On the server side (server or microservices) no INFO, WARNING or ERROR. On Immich Web (mobile or desktop browser) playing movies works fine. ### The OS that Immich Server is running on Fedora 38 ### Version of Immich Server v1.90.1 ### Version of Immich Mobile App v1.90.0 ### Platform with the issue - [ ] Server - [ ] Web - [X] Mobile ### Your docker-compose.yml content ```YAML N/A (Everything works fine on Web) ``` ### Your .env content ```Shell N/A (Everything works fine on Web) ``` ### Reproduction steps ```bash Please see in the description. ``` ### Additional information Please note I am using my own PKI. I have installed the private root CA into Android (User Certificates), so it's in trust store of Android. I checked this in every browser I have on my mobile to see if my ROOT CA certificate is considers, and indeed no more SSL warnings/errors. In Immich App I enabled Self-Signed cert. All functionality except videoplayer flutter plugin is working fine. It seems that the videoplayer plugin uses its own SSLSocket. I saw the error message in Caddy: Unknown certificate but only when I try to play a movie. For the rest of Immich API calls I do not get SSL error. For more info please check a bit the code for videoplayer flutter plugin [here](https://github.com/flutter/packages/blob/main/packages/video_player/video_player_android/android/src/main/java/io/flutter/plugins/videoplayer/VideoPlayer.java). In my opinion Immich should trust as well the certificates user adds in Android trust store and probably no need to specify "Allow Self Signed Certificates". This option is a security issue - to trust every Self Signed Certificate. This could be an option only in a DEV environment.

OVERLORD added the 📱mobile label 2026-02-05 03:27:20 +03:00

OVERLORD closed this issue 2026-02-05 03:27:27 +03:00

OVERLORD commented 2026-02-05 03:27:32 +03:00

Author

Owner

Copy Link

@alextran1502 commented on GitHub (Dec 8, 2023):

Did you change anything relating in the transcoding video settings?

@alextran1502 commented on GitHub (Dec 8, 2023): Did you change anything relating in the transcoding video settings?

OVERLORD commented 2026-02-05 03:27:34 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Dec 8, 2023):

Hi @alextran1502

Yes, target resolution is 4k. It was the same before, when I was able to play them from Immich Android app.

However, I highlight it again, from browser it's fine.

@amitrea commented on GitHub (Dec 8, 2023): Hi @alextran1502 Yes, target resolution is 4k. It was the same before, when I was able to play them from Immich Android app. However, I highlight it again, from browser it's fine.

OVERLORD commented 2026-02-05 03:27:39 +03:00

Author

Owner

Copy Link

@alextran1502 commented on GitHub (Dec 8, 2023):

Did you change the codec? Can you post the screenshot of transcoding settings?

@alextran1502 commented on GitHub (Dec 8, 2023): Did you change the codec? Can you post the screenshot of transcoding settings?

OVERLORD commented 2026-02-05 03:27:41 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Dec 8, 2023):

Sure.

@amitrea commented on GitHub (Dec 8, 2023): Sure. <img width="1043" alt="Screenshot 2023-12-08 at 17 35 15" src="https://github.com/immich-app/immich/assets/4013779/bab0b9c8-ca19-44b9-9164-e59fb8a87fee"> <img width="1011" alt="Screenshot 2023-12-08 at 17 35 38" src="https://github.com/immich-app/immich/assets/4013779/a936a7cc-80cf-4d9a-bd81-0a425ae8e84e"> <img width="998" alt="Screenshot 2023-12-08 at 17 36 01" src="https://github.com/immich-app/immich/assets/4013779/70447263-b167-4463-9095-aadbc2e63b43">

OVERLORD commented 2026-02-05 03:27:44 +03:00

Author

Owner

Copy Link

@alextran1502 commented on GitHub (Dec 8, 2023):

Can you try revert the transcoding settings to default, then record and upload a new videos and see if it works on your phone?

@alextran1502 commented on GitHub (Dec 8, 2023): Can you try revert the transcoding settings to default, then record and upload a new videos and see if it works on your phone?

OVERLORD commented 2026-02-05 03:27:45 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Dec 8, 2023):

I suppose you want to identify where is the issue.

I will record a video, upload and then play. Can you remind me what was the default resolution? 1440p or 1024p?

@amitrea commented on GitHub (Dec 8, 2023): I suppose you want to identify where is the issue. I will record a video, upload and then play. Can you remind me what was the default resolution? 1440p or 1024p?

OVERLORD commented 2026-02-05 03:27:50 +03:00

Author

Owner

Copy Link

@alextran1502 commented on GitHub (Dec 8, 2023):

The default is 720p.There is also a button to reset to default at the bottom left corner

@alextran1502 commented on GitHub (Dec 8, 2023): The default is 720p.There is also a button to reset to default at the bottom left corner

OVERLORD commented 2026-02-05 03:27:51 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Dec 8, 2023):

Test 1:
By mistake, I was a bit focus on making the movie and forgot to reset the resolution, still 4k.

I opened immich Android app and uploaded. Playing is fine.
I deleted locally from my phone Gallery and tried again. It doesn't work.

Test 2:
I changed the resolution to 720p. The same as above, playing OK until you delete from local Gallery.

Test 3:
Change resolution to original. The same as above.

My conclusion, maybe yours is different: As long the the movie is on my local Gallery it works, if I delete the streaming from server doesn't work.

Can you please try on your side as well?

@amitrea commented on GitHub (Dec 8, 2023): Test 1: By mistake, I was a bit focus on making the movie and forgot to reset the resolution, still 4k. I opened immich Android app and uploaded. Playing is fine. I deleted locally from my phone Gallery and tried again. It doesn't work. Test 2: I changed the resolution to 720p. The same as above, playing OK until you delete from local Gallery. Test 3: Change resolution to original. The same as above. My conclusion, maybe yours is different: As long the the movie is on my local Gallery it works, if I delete the streaming from server doesn't work. Can you please try on your side as well?

OVERLORD commented 2026-02-05 03:27:55 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Dec 8, 2023):

I also reset all values from Transcoding section to default. Did the same as in previous tests and the same behaviour.
It doesn't work if I delete it from local Gallery.

@amitrea commented on GitHub (Dec 8, 2023): I also reset all values from Transcoding section to default. Did the same as in previous tests and the same behaviour. It doesn't work if I delete it from local Gallery.

OVERLORD commented 2026-02-05 03:27:57 +03:00

Author

Owner

Copy Link

@alextran1502 commented on GitHub (Dec 8, 2023):

What are the movie settings on your phone's camera?

@alextran1502 commented on GitHub (Dec 8, 2023): What are the movie settings on your phone's camera?

OVERLORD commented 2026-02-05 03:28:02 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Dec 8, 2023):

4k

@amitrea commented on GitHub (Dec 8, 2023): 4k

OVERLORD commented 2026-02-05 03:28:06 +03:00

Author

Owner

Copy Link

@alextran1502 commented on GitHub (Dec 8, 2023):

Do you see any logs in the server container when you are trying to stream the video on the mobile app?

@alextran1502 commented on GitHub (Dec 8, 2023): Do you see any logs in the server container when you are trying to stream the video on the mobile app?

OVERLORD commented 2026-02-05 03:28:08 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Dec 8, 2023):

As said in the description no logs on server side (server or microservices) and on mobile app logs.

By the way, I mentioned that the issue is on two distinct Android phones: Huawei Mate Pro and a Samsung A somthing (do not remember).

If I login to immich from browsers on both phones it plays the videos OK.

@amitrea commented on GitHub (Dec 8, 2023): As said in the description no logs on server side (server or microservices) and on mobile app logs. By the way, I mentioned that the issue is on two distinct Android phones: Huawei Mate Pro and a Samsung A somthing (do not remember). If I login to immich from browsers on both phones it plays the videos OK.

OVERLORD commented 2026-02-05 03:28:10 +03:00

Author

Owner

Copy Link

@tomikonieczny commented on GitHub (Dec 8, 2023):

Mobile app (android S23 Ultra) v. 1.90.2 build.2114

Transcoding OFF

It looks like there is an issue with playing HEVC media, H.264 is fine.

@tomikonieczny commented on GitHub (Dec 8, 2023): Mobile app (android S23 Ultra) v. 1.90.2 build.2114 Transcoding OFF It looks like there is an issue with playing HEVC media, H.264 is fine.

OVERLORD commented 2026-02-05 03:28:14 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Dec 9, 2023):

I understand that the application (web or mobile) streams the transcoded video file and play it on the device.
So, in this case does not matter if the video was recorded in H.265 because the transcoded video, as one can see in the transcoding settings I attached above, is H.264.

In your case maybe would be a different issue!
When you say "H.264 is fine", it plays the video from mobile disk or only from remote (Immich)?
It is working to me as well when I have the mp4 locally but when I delete it from my Phone Gallery (not through Immich App)it doesn't play the remote one.

My videos are encoded in HEVC (camera calls it Efficient Video Format) and the video player that Immich Android App is using, does't have any issue to play it as long as it is on local disk. I checked the format of my video with `ffmpeg -i video_1.mp4'.

Something is wired - at least an INFO, better an exception !

@amitrea commented on GitHub (Dec 9, 2023): I understand that the application (web or mobile) streams the transcoded video file and play it on the device. So, in this case does not matter if the video was recorded in H.265 because the transcoded video, as one can see in the transcoding settings I attached above, is H.264. In your case maybe would be a different issue! When you say "H.264 is fine", it plays the video from mobile disk or only from remote (Immich)? It is working to me as well when I have the mp4 locally but when I delete it from my Phone Gallery (not through Immich App)it doesn't play the remote one. My videos are encoded in HEVC (camera calls it Efficient Video Format) and the video player that Immich Android App is using, does't have any issue to play it as long as it is on local disk. I checked the format of my video with `ffmpeg -i video_1.mp4'. Something is wired - at least an INFO, better an exception !

OVERLORD commented 2026-02-05 03:28:17 +03:00

Author

Owner

Copy Link

@tomikonieczny commented on GitHub (Dec 9, 2023):

It is working to me as well when I have the mp4 locally but when I delete it from my Phone Gallery (not through Immich App)it doesn't play the remote one.

Yes, I've just recreated exact same case. When HEVC file is locally available player works otherwise doesn't.

Logs from immich_server:
[Nest] 7 - 12/08/2023, 10:05:41 PM ERROR [ErrorInterceptor] Failed to serve file
[Nest] 7 - 12/08/2023, 10:05:41 PM ERROR [ErrorInterceptor] Error: Request aborted

I've been logged in by external IP (port 2283 and 5432 are forwarded to local IP). I've decided to log in by local IP and then HEVC files started been playing.. Relogin helped? Missing forwarded ports to local IP?

@tomikonieczny commented on GitHub (Dec 9, 2023): > It is working to me as well when I have the mp4 locally but when I delete it from my Phone Gallery (not through Immich App)it doesn't play the remote one. Yes, I've just recreated exact same case. When HEVC file is locally available player works otherwise doesn't. Logs from immich_server: [Nest] 7 - 12/08/2023, 10:05:41 PM ERROR [ErrorInterceptor] Failed to serve file [Nest] 7 - 12/08/2023, 10:05:41 PM ERROR [ErrorInterceptor] Error: Request aborted I've been logged in by external IP (port 2283 and 5432 are forwarded to local IP). I've decided to log in by local IP and then HEVC files started been playing.. Relogin helped? Missing forwarded ports to local IP?

OVERLORD commented 2026-02-05 03:28:20 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Dec 9, 2023):

OK, I tested also connecting with Immich mobile app using directly the FQDN behind the proxy (http://immich-server.svc.local:3001/api) and started being playing the videos.
I use latest Caddy v2 proxy behind all my services, with SSL stop on proxy. The URL is https://immich.svc.local). The authentication is done through an OpenID implementation.

As mentioned already everything is working fine through the proxy when accessing the application through browser, using the last URL provided above.

So, the bug is in Immich Mobile App or in a dependency library (flutter videoplayer plugin).

...

Later on after a bit of investigation:

Please note I am using my own PKI. I have installed the private root CA into Android (User Certificates), so it's in trust store of Android. I checked this in every browser I have on my mobile to see if my ROOT CA certificate is considers, and indeed no more SSL warnings/errors.

In Immich App I enabled Self-Signed cert. All functionality except videoplayer flutter plugin is working fine.
It seems that the videoplayer plugin uses its own SSLSocket.

I saw the error message in Caddy: Unknown certificate but only when I try to play a movie. For the rest of Immich API calls I do not get SSL error.

For more info please check a bit the code for videoplayer flutter plugin here.

In my opinion Immich should trust as well the certificates user adds in Android trust store and probably no need to specify "Allow Self Signed Certificates". This option is a security issue - to trust every Self Signed Certificate. This could be an option only in a DEV environment.

I will amend the description with my findings.

@amitrea commented on GitHub (Dec 9, 2023): OK, I tested also connecting with Immich mobile app using directly the FQDN behind the proxy (http://immich-server.svc.local:3001/api) and started being playing the videos. I use latest Caddy v2 proxy behind all my services, with SSL stop on proxy. The URL is https://immich.svc.local). The authentication is done through an OpenID implementation. As mentioned already everything is working fine through the proxy when accessing the application through browser, using the last URL provided above. So, the bug is in Immich Mobile App or in a dependency library (flutter videoplayer plugin). ... Later on after a bit of investigation: Please note I am using my own PKI. I have installed the private root CA into Android (User Certificates), so it's in trust store of Android. I checked this in every browser I have on my mobile to see if my ROOT CA certificate is considers, and indeed no more SSL warnings/errors. In Immich App I enabled Self-Signed cert. All functionality except videoplayer flutter plugin is working fine. It seems that the videoplayer plugin uses its own SSLSocket. I saw the error message in Caddy: Unknown certificate but only when I try to play a movie. For the rest of Immich API calls I do not get SSL error. For more info please check a bit the code for videoplayer flutter plugin [here](https://github.com/flutter/packages/blob/main/packages/video_player/video_player_android/android/src/main/java/io/flutter/plugins/videoplayer/VideoPlayer.java). In my opinion Immich should trust as well the certificates user adds in Android trust store and probably no need to specify "Allow Self Signed Certificates". This option is a security issue - to trust every Self Signed Certificate. This could be an option only in a DEV environment. I will amend the description with my findings.

OVERLORD commented 2026-02-05 03:28:26 +03:00

Author

Owner

Copy Link

@Liujun3712 commented on GitHub (Dec 11, 2023):

I found the same issue when I changed the transcode setting to HEVC and re-transcode all the videos today. All the video just cannot playback.
Now, I am trying to use VP9 codec and re-transcode all.

Version of Immich Server
v1.90.2

Version of Immich Mobile App
v1.90.0 in iOS

@Liujun3712 commented on GitHub (Dec 11, 2023): I found the same issue when I changed the transcode setting to HEVC and re-transcode all the videos today. All the video just cannot playback. Now, I am trying to use VP9 codec and re-transcode all. Version of Immich Server v1.90.2 Version of Immich Mobile App v1.90.0 in iOS

OVERLORD commented 2026-02-05 03:28:28 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Dec 11, 2023):

This is NOT an issue of transcoding. Please read well the thread.
Please open another issue for your issue.

This is SSL issue related to flutter videoplayer that IMMICH mobile app is using to play videos on Android mobile.
Trusted Self signed certificates (registered in Android) should be valid also for playing videos as it is for images or other calls to IMMICH server.

@amitrea commented on GitHub (Dec 11, 2023): This is NOT an issue of transcoding. Please read well the thread. Please open another issue for your issue. This is SSL issue related to flutter videoplayer that IMMICH mobile app is using to play videos on Android mobile. Trusted Self signed certificates (registered in Android) should be valid also for playing videos as it is for images or other calls to IMMICH server.

OVERLORD commented 2026-02-05 03:28:32 +03:00

Author

Owner

Copy Link

@br4yd commented on GitHub (Dec 15, 2023):

I can confirm this bug. I run my server on a Synology NAS behind their proxy server using Tailscale to connect from the outside because no public IPv4 (provider only serves DS_Lite). I had everything running via HTTP but eventually switched to HTTPS using a self-signed cert (can only be self-signed because as mentioned it's running inside a Tailscale network and is therefore not reachable from the outside). Since switching to that self-signed certificate I can't playback videos or live photos on mobile. I can however play them back on web.

@br4yd commented on GitHub (Dec 15, 2023): I can confirm this bug. I run my server on a Synology NAS behind their proxy server using Tailscale to connect from the outside because no public IPv4 (provider only serves DS_Lite). I had everything running via HTTP but eventually switched to HTTPS using a self-signed cert (can only be self-signed because as mentioned it's running inside a Tailscale network and is therefore not reachable from the outside). Since switching to that self-signed certificate I can't playback videos or live photos on mobile. I can however play them back on web.

OVERLORD commented 2026-02-05 03:28:40 +03:00

Author

Owner

Copy Link

@mmanjos commented on GitHub (Jan 11, 2024):

I'm seeing the same thing on my environment:

• Immich v1.92.0 on docker
• nginx on the same node that runs the docker container
• SSL certificate used by nginx (server.crt and server.key below) is a valid certificate from my own self-hosted CA. The CA root is imported onto the android phone and other services respect the certificates that are signed by it without errors.

nginx is configured like this:

server {
  listen      443 ssl;
  server_name photos.my.domain.invalid;
  root /var/www/html;
  index index.html index.htm;
  client_max_body_size 5000M;

  ssl_certificate       /etc/ssl/private/server.crt; # this is a cert signed by my home root CA that validates server_name above
  ssl_certificate_key   /etc/ssl/private/server.key;

  location / {
    client_max_body_size 5000M;
    proxy_pass http://localhost:2283; # this is immich running on docker 0.0.0.0:2283->3001/tcp
    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect off;
  }
}

I've tried a handful of different reverse proxy configs, but based on the nginx logs and the behavior of the app, it feels like it's failing at the TLS session whenever a video is requested for playback on the phone (i.e. no actual HTTP request makes it into the nginx logs - it just fails silently)

@mmanjos commented on GitHub (Jan 11, 2024): I'm seeing the same thing on my environment: - Immich v1.92.0 on docker - nginx on the same node that runs the docker container - SSL certificate used by nginx (`server.crt` and `server.key` below) is a valid certificate from my own self-hosted CA. The CA root is imported onto the android phone and other services respect the certificates that are signed by it without errors. nginx is configured like this: ``` server { listen 443 ssl; server_name photos.my.domain.invalid; root /var/www/html; index index.html index.htm; client_max_body_size 5000M; ssl_certificate /etc/ssl/private/server.crt; # this is a cert signed by my home root CA that validates server_name above ssl_certificate_key /etc/ssl/private/server.key; location / { client_max_body_size 5000M; proxy_pass http://localhost:2283; # this is immich running on docker 0.0.0.0:2283->3001/tcp proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_redirect off; } } ``` I've tried a handful of different reverse proxy configs, but based on the nginx logs and the behavior of the app, it feels like it's failing at the TLS session whenever a video is requested for playback on the phone (i.e. no actual HTTP request makes it into the nginx logs - it just fails silently)

OVERLORD commented 2026-02-05 03:28:44 +03:00

Author

Owner

Copy Link

@jrasm91 commented on GitHub (May 14, 2024):

AFAIK the image and video players in flutter don't use the http interceptor that has been added to solve the issue with self-signed certificates elsewhere.

@jrasm91 commented on GitHub (May 14, 2024): AFAIK the image and video players in flutter don't use the http interceptor that has been added to solve the issue with self-signed certificates elsewhere.

OVERLORD commented 2026-02-05 03:28:47 +03:00

Author

Owner

Copy Link

@robertoho commented on GitHub (Jun 9, 2024):

I also have a selfsigned certificate, the problem happens in the immich app and Chromium based browsers, in Firefox it works well.

@robertoho commented on GitHub (Jun 9, 2024): I also have a selfsigned certificate, the problem happens in the immich app and Chromium based browsers, in Firefox it works well.

OVERLORD commented 2026-02-05 03:28:53 +03:00

Author

Owner

Copy Link

@zamansoum commented on GitHub (Jun 23, 2024):

Here to confirm i have the same issue with the updated version of the app on android with a valid cert and CA added to the android local store

@zamansoum commented on GitHub (Jun 23, 2024): Here to confirm i have the same issue with the updated version of the app on android with a valid cert and CA added to the android local store

OVERLORD commented 2026-02-05 03:28:55 +03:00

Author

Owner

Copy Link

@TheStealthReporter commented on GitHub (Jun 25, 2024):

Also confirming this issue. Video clips in Immich show this behavior:

• works: Immich App + http:// endpoint
• works: Chrome Mobile + https:// with a self-signed CA (added to the user CA store)
• doesn't work: Immich App + https:// with exactly the same certificate as above

Also this user provides some code to check whether a certificate is really a trusted user certificate (instead of allowing all certificates, as far as I understand the Immich HTTP interceptor).

@TheStealthReporter commented on GitHub (Jun 25, 2024): Also confirming this issue. Video clips in Immich show this behavior: - works: Immich App + `http://` endpoint - works: Chrome Mobile + `https://` with a self-signed CA (added to the user CA store) - doesn't work: Immich App + `https://` with exactly the same certificate as above Also [this](https://github.com/flutter/flutter/issues/56607#issuecomment-2164062582) user provides some [code](https://github.com/johnstef99/flutter_user_certificates_android) to check whether a certificate is _really_ a trusted user certificate (instead of allowing all certificates, as far as I understand the Immich HTTP interceptor).

OVERLORD commented 2026-02-05 03:28:59 +03:00

Author

Owner

Copy Link

@rovo89 commented on GitHub (Jul 4, 2024):

Probably related: I use a reverse proxy with a Let's Encrypt certificate, which works without adding it to the CA store. However, due to the lack of mTLS support, I have configured Basic Authentication, i.e. my endpoint is https://user:password@mydomain.tld.

The error reported in the app logs is Exception: PlatformException(VideoError, Video player had error y2.r: Source error, null, null) and in the nginx logs I see that the requests coming from ExoPlayer got a 401. I assume that the username/password simply isn't included in the URL passed to the player, or that it doesn't know how to handle it. Can someone confirm?

@rovo89 commented on GitHub (Jul 4, 2024): Probably related: I use a reverse proxy with a Let's Encrypt certificate, which works without adding it to the CA store. However, due to the lack of mTLS support, I have configured Basic Authentication, i.e. my endpoint is `https://user:password@mydomain.tld`. The error reported in the app logs is `Exception: PlatformException(VideoError, Video player had error y2.r: Source error, null, null)` and in the nginx logs I see that the requests coming from ExoPlayer got a 401. I assume that the username/password simply isn't included in the URL passed to the player, or that it doesn't know how to handle it. Can someone confirm?

OVERLORD commented 2026-02-05 03:29:02 +03:00

Author

Owner

Copy Link

@notthedan commented on GitHub (Jul 6, 2024):

Confirming this issue for iPhone 14 Pro as well.

Using HAProxy loaded with a self-signed certificate to reverse proxy immich.

@notthedan commented on GitHub (Jul 6, 2024): Confirming this issue for iPhone 14 Pro as well. Using HAProxy loaded with a self-signed certificate to reverse proxy immich.

OVERLORD commented 2026-02-05 03:29:06 +03:00

Author

Owner

Copy Link

@MadKillerChicken commented on GitHub (Jul 24, 2024):

Can also confirm. Strangely enough it works with Librewolf (Firefox), but doesn't with Vanadium (Chrome) or the Android app. Using latest client/server running on docker and using traefik (forced SSL). Own custom CA installed and recognized on all devices.

I'd love to know why it works on Firefox.

@MadKillerChicken commented on GitHub (Jul 24, 2024): Can also confirm. Strangely enough it works with Librewolf (Firefox), but doesn't with Vanadium (Chrome) or the Android app. Using latest client/server running on docker and using traefik (forced SSL). Own custom CA installed and recognized on all devices. I'd love to know why it works on Firefox.

OVERLORD commented 2026-02-05 03:29:10 +03:00

Author

Owner

Copy Link

@pedropombeiro commented on GitHub (Jul 31, 2024):

FWIW, I'm seeing the same on iOS (using mTLS support in Traefik with the new support in mobile app v1.111.0). Here's the output in Traefik's logs:

We can see that the TLSClientSubject header is present in successful requests:

@pedropombeiro commented on GitHub (Jul 31, 2024): FWIW, I'm seeing the same on iOS (using mTLS support in Traefik with the new support in mobile app v1.111.0). Here's the output in Traefik's logs: <img width="825" alt="image" src="https://github.com/user-attachments/assets/30fb7fdd-d052-47d0-9089-e8eb36934eb6"> We can see that the `TLSClientSubject` header is present in successful requests: <img width="595" alt="image" src="https://github.com/user-attachments/assets/6974ef2b-969f-4ce9-b610-d042b5dc2050">

OVERLORD commented 2026-02-05 03:29:12 +03:00

Author

Owner

Copy Link

@cfelicio commented on GitHub (Aug 15, 2024):

Same issue here, I'm using an Iphone 11 app, tried with NPM and Caddy as Reverse proxies, also with cloudflare enabled and disabled...

here is what shows up on the Caddy log if it helps:

ERR | ts=1723696824.1158197 logger=http.handlers.reverse_proxy msg=aborting with incomplete response upstream=127.0.0.1:2283 duration=0.011252365 request={"remote_ip":"...","remote_port":"57094","client_ip":"...","proto":"HTTP/2.0","method":"GET","host":"...","uri":"/api/assets/ae6e9199-a7ac-47e1-b808-b0fbdc61ff02/video/playback","headers":{"Range":["bytes=0-362376870"],"User-Agent":["AppleCoreMedia/1.0.0.21G93 (iPhone; U; CPU OS 17_6_1 like Mac OS X; en_ca)"],"Cf-Ipcountry":["CA"],"X-Forwarded-Proto":["https"],"Accept-Language":["en-CA,en-US;q=0.9,en;q=0.8"],"X-Forwarded-For":["..."],"Accept-Encoding":["gzip, br"],"X-Playback-Session-Id":["9579D20C-5C14-4440-AD61-95682562C7F8"],"X-Forwarded-Host":["..."],"Cf-Visitor":["{"scheme":"https"}"],"Cf-Ray":["8b36819c98cdc493-SEA"],"Accept":["/"],"X-Immich-User-Token":["..."],"Cf-Connecting-Ip":["..."],"Cdn-Loop":["cloudflare"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"..."}} error=writing: http2: stream closed

@cfelicio commented on GitHub (Aug 15, 2024): Same issue here, I'm using an Iphone 11 app, tried with NPM and Caddy as Reverse proxies, also with cloudflare enabled and disabled... here is what shows up on the Caddy log if it helps: ERR | ts=1723696824.1158197 logger=http.handlers.reverse_proxy msg=aborting with incomplete response upstream=127.0.0.1:2283 duration=0.011252365 request={"remote_ip":"...","remote_port":"57094","client_ip":"...","proto":"HTTP/2.0","method":"GET","host":"...","uri":"/api/assets/ae6e9199-a7ac-47e1-b808-b0fbdc61ff02/video/playback","headers":{"Range":["bytes=0-362376870"],"User-Agent":["AppleCoreMedia/1.0.0.21G93 (iPhone; U; CPU OS 17_6_1 like Mac OS X; en_ca)"],"Cf-Ipcountry":["CA"],"X-Forwarded-Proto":["https"],"Accept-Language":["en-CA,en-US;q=0.9,en;q=0.8"],"X-Forwarded-For":["..."],"Accept-Encoding":["gzip, br"],"X-Playback-Session-Id":["9579D20C-5C14-4440-AD61-95682562C7F8"],"X-Forwarded-Host":["..."],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Cf-Ray":["8b36819c98cdc493-SEA"],"Accept":["*/*"],"X-Immich-User-Token":["..."],"Cf-Connecting-Ip":["..."],"Cdn-Loop":["cloudflare"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"..."}} error=writing: http2: stream closed

OVERLORD commented 2026-02-05 03:29:17 +03:00

Author

Owner

Copy Link

@M4tT3d commented on GitHub (Aug 15, 2024):

I have the same problem with the new version as well. I use traefik as reverse proxy and the immich server can be accessed only from the local network. I also use a self-signed certificate for https with a permanent redirect from the http to https. I don't use clients certificates. The strange behavior is that if I access the server without the proxy, it work fine otherwise I have this error
Instance of 'FlutterErrorDetails' Exception: PlatformException(VideoError, Video player had error f1.l: Source error, null, null) Library: widgets library Context: Instance of 'ErrorDescription'.

From the traefik logs I found out this kind of message when I want to get a video
http: TLS handshake error from x.x.x.x:y: remote error: tls: bad certificate

@M4tT3d commented on GitHub (Aug 15, 2024): I have the same problem with the new version as well. I use traefik as reverse proxy and the immich server can be accessed only from the local network. I also use a self-signed certificate for https with a permanent redirect from the http to https. I don't use clients certificates. The strange behavior is that if I access the server without the proxy, it work fine otherwise I have this error `Instance of 'FlutterErrorDetails' Exception: PlatformException(VideoError, Video player had error f1.l: Source error, null, null) Library: widgets library Context: Instance of 'ErrorDescription'`. From the traefik logs I found out this kind of message when I want to get a video `http: TLS handshake error from x.x.x.x:y: remote error: tls: bad certificate`

OVERLORD commented 2026-02-05 03:29:19 +03:00

Author

Owner

Copy Link

@C-Otto commented on GitHub (Aug 26, 2024):

I had the issue with a "let's encrypt" certificate and http basic auth. It works if I exclude the video endpoint from the auth requirements (which might be unsafe?). For Apache:

SetEnvIf Request_URI "/api/assets/[0-9a-f-]*/video/playback" accessgranted=1

<Location />
    Order deny,allow
    Satisfy any
    Deny from all
    Allow from env=accessgranted
    Authtype Basic
    Authname "Password Required"
    AuthBasicProvider file
    AuthUserFile "/foo/some.passwd"
    Require valid-user
</Location>

@C-Otto commented on GitHub (Aug 26, 2024): I had the issue with a "let's encrypt" certificate and http basic auth. It works if I exclude the video endpoint from the auth requirements (which might be unsafe?). For Apache: ``` SetEnvIf Request_URI "/api/assets/[0-9a-f-]*/video/playback" accessgranted=1 <Location /> Order deny,allow Satisfy any Deny from all Allow from env=accessgranted Authtype Basic Authname "Password Required" AuthBasicProvider file AuthUserFile "/foo/some.passwd" Require valid-user </Location> ```

OVERLORD commented 2026-02-05 03:29:26 +03:00

Author

Owner

Copy Link

@neothematrix commented on GitHub (Aug 27, 2024):

same issue with Android Immich app and mTLS client certificate on Cloudflare, video playback doesn't work, all requests are reaching cloudflare with "Exoplayer" user agent but without client ssl certificate, so they are dropped by Cloudflare.
It seems ssl client certificate isn't passed to Exoplayer.

@neothematrix commented on GitHub (Aug 27, 2024): same issue with Android Immich app and mTLS client certificate on Cloudflare, video playback doesn't work, all requests are reaching cloudflare with "Exoplayer" user agent but without client ssl certificate, so they are dropped by Cloudflare. It seems ssl client certificate isn't passed to Exoplayer.

OVERLORD commented 2026-02-05 03:29:28 +03:00

Author

Owner

Copy Link

@neothematrix commented on GitHub (Aug 31, 2024):

testing iOS too, same issue with Client mTLS authentication as Android, except the user agent is not "Exoplayer" but "AppleCoreMedia", GET request reach the immich endpoint without presenting the configured mTLS.

reading the other reports it seems there are two issues with video playback and SSL that are strictly related and perhaps the root cause could be the same: SSL parameters (like allow self-signed certificates and use ssl client certificates) are not passed over to external applications (like Exoplayer or AppleCoreMedia) that are used to playback videos.

@neothematrix commented on GitHub (Aug 31, 2024): testing iOS too, same issue with Client mTLS authentication as Android, except the user agent is not "Exoplayer" but "AppleCoreMedia", GET request reach the immich endpoint without presenting the configured mTLS. reading the other reports it seems there are two issues with video playback and SSL that are strictly related and perhaps the root cause could be the same: SSL parameters (like allow self-signed certificates and use ssl client certificates) are not passed over to external applications (like Exoplayer or AppleCoreMedia) that are used to playback videos.

OVERLORD commented 2026-02-05 03:29:32 +03:00

Author

Owner

Copy Link

@JPBRM commented on GitHub (Sep 14, 2024):

Because @yjiang-c had a look at this issue while looking at a different Client SSL issue, I'm just adding this here for completeness: https://github.com/immich-app/immich/issues/11870#issuecomment-2323272620

@neothematrix #5553 is not easy to be resolved. The video player used in immich mobile is a flutter plugin, which does not support customised HTTPS options. In immich side, we can only fix it by totally replacing the video player and rewrite a new video player from scratch.

@JPBRM commented on GitHub (Sep 14, 2024): Because @yjiang-c had a look at this issue while looking at a different Client SSL issue, I'm just adding this here for completeness: https://github.com/immich-app/immich/issues/11870#issuecomment-2323272620 > @neothematrix [#5553 ](https://github.com/immich-app/immich/issues/5553#issuecomment-2322936058) is not easy to be resolved. The video player used in immich mobile is a flutter plugin, which does not support customised HTTPS options. In immich side, we can only fix it by totally replacing the video player and rewrite a new video player from scratch.

OVERLORD commented 2026-02-05 03:29:35 +03:00

Author

Owner

Copy Link

@neothematrix commented on GitHub (Sep 14, 2024):

shall we open a bug/feat request to flutter? We surely aren't the only ones using these scenarios

@neothematrix commented on GitHub (Sep 14, 2024): shall we open a bug/feat request to flutter? We surely aren't the only ones using these scenarios

OVERLORD commented 2026-02-05 03:29:41 +03:00

Author

Owner

Copy Link

@MadKillerChicken commented on GitHub (Sep 14, 2024):

I really hope this can be solved. Immich is definitely the best self hosted solution of this kind by a long shot. Unfortunately this will prevent me from using it.

Sadly it appears that flutter has exactly this issue on their radar since 2019, but don't seem to be interested in implementing a fix.

https://github.com/flutter/flutter/issues/36925

@MadKillerChicken commented on GitHub (Sep 14, 2024): I really hope this can be solved. Immich is definitely the best self hosted solution of this kind by a long shot. Unfortunately this will prevent me from using it. Sadly it appears that flutter has exactly this issue on their radar since 2019, but don't seem to be interested in implementing a fix. https://github.com/flutter/flutter/issues/36925

OVERLORD commented 2026-02-05 03:29:43 +03:00

Author

Owner

Copy Link

@JPBRM commented on GitHub (Sep 14, 2024):

I also found this issue: https://github.com/flutter/flutter/issues/56607 there is a reply from another dev who create a (android specific) plugin to get mTLS to work: https://github.com/flutter/flutter/issues/56607#issuecomment-2164062582

@JPBRM commented on GitHub (Sep 14, 2024): I also found this issue: https://github.com/flutter/flutter/issues/56607 there is a reply from another dev who create a (android specific) plugin to get mTLS to work: https://github.com/flutter/flutter/issues/56607#issuecomment-2164062582

OVERLORD commented 2026-02-05 03:29:46 +03:00

Author

Owner

Copy Link

@alextran1502 commented on GitHub (Sep 14, 2024):

We are testing the native video player with might potentially can solve this issue

@alextran1502 commented on GitHub (Sep 14, 2024): We are testing the native video player with might potentially can solve this issue

OVERLORD commented 2026-02-05 03:29:51 +03:00

Author

Owner

Copy Link

@TheOneValen commented on GitHub (Sep 16, 2024):

As a "workaround": you can use letsencrypt for a domain which is only reachable via VPN if you use the DNS challenge. Then you have an "officially trusted" certificate. This is how I solved this for now.

@TheOneValen commented on GitHub (Sep 16, 2024): As a "workaround": you can use letsencrypt for a domain which is only reachable via VPN if you use the DNS challenge. Then you have an "officially trusted" certificate. This is how I solved this for now.

OVERLORD commented 2026-02-05 03:29:57 +03:00

Author

Owner

Copy Link

@rovo89 commented on GitHub (Sep 16, 2024):

As a "workaround": you can use letsencrypt for a domain which is only reachable via VPN if you use the DNS challenge. Then you have an "officially trusted" certificate. This is how I solved this for now.

Won't help for mTLS though as the client certificate is simply not sent. And we can't disable mTLS requirement for videos because the requested URL isn't sent yet during the handshake.

@rovo89 commented on GitHub (Sep 16, 2024): > As a "workaround": you can use letsencrypt for a domain which is only reachable via VPN if you use the DNS challenge. Then you have an "officially trusted" certificate. This is how I solved this for now. Won't help for mTLS though as the client certificate is simply not sent. And we can't disable mTLS requirement for videos because the requested URL isn't sent yet during the handshake.

OVERLORD commented 2026-02-05 03:30:02 +03:00

Author

Owner

Copy Link

@neothematrix commented on GitHub (Sep 16, 2024):

currently a workaround is to use web browser instead of the app

@neothematrix commented on GitHub (Sep 16, 2024): currently a workaround is to use web browser instead of the app

OVERLORD commented 2026-02-05 03:30:06 +03:00

Author

Owner

Copy Link

@kaztechSolutions commented on GitHub (Oct 2, 2024):

Are there any news about this issue? I am currently investigating if I can move from Google Photos to Immich. But this issue takes away all the joy I had.

I am just worried that mtls support could not be supported anymore. Would love the hear the opposite.

Having the issue using the iPhone app with an nginx proxy with mtls turned on.

@kaztechSolutions commented on GitHub (Oct 2, 2024): Are there any news about this issue? I am currently investigating if I can move from Google Photos to Immich. But this issue takes away all the joy I had. I am just worried that mtls support could not be supported anymore. Would love the hear the opposite. Having the issue using the iPhone app with an nginx proxy with mtls turned on.

OVERLORD commented 2026-02-05 03:30:11 +03:00

Author

Owner

Copy Link

@yjiang-c commented on GitHub (Oct 2, 2024):

The Pull Request #12104 is in progress to resolve this issue. It is a big feature and needs some time.

@yjiang-c commented on GitHub (Oct 2, 2024): The Pull Request #12104 is in progress to resolve this issue. It is a big feature and needs some time.

OVERLORD commented 2026-02-05 03:30:14 +03:00

Author

Owner

Copy Link

@canton7 commented on GitHub (Oct 14, 2024):

For those, like me, searching open issues for this nginx error message:

SSL_do_handshake() failed (SSL: error:0A000416:SSL routines::ssl/tls alert certificate unknown:SSL alert number 46) while SSL handshaking, client: ::, server: [::]:443

@canton7 commented on GitHub (Oct 14, 2024): For those, like me, searching open issues for this nginx error message: > SSL_do_handshake() failed (SSL: error:0A000416:SSL routines::ssl/tls alert certificate unknown:SSL alert number 46) while SSL handshaking, client: ::<redacted>, server: [::]:443

OVERLORD commented 2026-02-05 03:30:16 +03:00

Author

Owner

Copy Link

@crisoagf commented on GitHub (Oct 18, 2024):

Hey, I have a similar issue.

This change to the AndroidManifest fixes it if you have your server's certificate (or a root certificate you have used) in the User Certificate Store in Android:

diff --git a/mobile/android/app/src/main/AndroidManifest.xml b/mobile/android/app/src/main/AndroidManifest.xml
index 17c2830b4..9d7db316b 100644
--- a/mobile/android/app/src/main/AndroidManifest.xml
+++ b/mobile/android/app/src/main/AndroidManifest.xml
@@ -24,7 +24,9 @@
 
   <application android:label="Immich" android:name=".ImmichApp" android:usesCleartextTraffic="true"
     android:icon="@mipmap/ic_launcher" android:requestLegacyExternalStorage="true"
-    android:largeHeap="true" android:enableOnBackInvokedCallback="false">
+    android:largeHeap="true" android:enableOnBackInvokedCallback="false"
+    android:networkSecurityConfig="@xml/network_security_config"
+    >
 
     <service
       android:name="androidx.work.impl.foreground.SystemForegroundService"
@@ -81,6 +83,10 @@
       android:name="androidx.startup.InitializationProvider"
       android:authorities="${applicationId}.androidx-startup"
       tools:node="remove" />
+
+    <meta-data
+      android:name="io.flutter.network-policy"
+      android:resource="@xml/network_security_config" />
   </application>
 
 
diff --git a/mobile/android/app/src/main/res/xml/network_security_config.xml b/mobile/android/app/src/main/res/xml/network_security_config.xml
new file mode 100644
index 000000000..d20fb8331
--- /dev/null
+++ b/mobile/android/app/src/main/res/xml/network_security_config.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<network-security-config>
+    <base-config>
+        <trust-anchors>
+            <certificates src="system" />
+            <certificates src="user" />
+        </trust-anchors>
+    </base-config>
+</network-security-config>

but I think it may trigger a Play Store warning.

@crisoagf commented on GitHub (Oct 18, 2024): Hey, I have a similar issue. This change to the AndroidManifest fixes it if you have your server's certificate (or a root certificate you have used) in the User Certificate Store in Android: ``` diff --git a/mobile/android/app/src/main/AndroidManifest.xml b/mobile/android/app/src/main/AndroidManifest.xml index 17c2830b4..9d7db316b 100644 --- a/mobile/android/app/src/main/AndroidManifest.xml +++ b/mobile/android/app/src/main/AndroidManifest.xml @@ -24,7 +24,9 @@ <application android:label="Immich" android:name=".ImmichApp" android:usesCleartextTraffic="true" android:icon="@mipmap/ic_launcher" android:requestLegacyExternalStorage="true" - android:largeHeap="true" android:enableOnBackInvokedCallback="false"> + android:largeHeap="true" android:enableOnBackInvokedCallback="false" + android:networkSecurityConfig="@xml/network_security_config" + > <service android:name="androidx.work.impl.foreground.SystemForegroundService" @@ -81,6 +83,10 @@ android:name="androidx.startup.InitializationProvider" android:authorities="${applicationId}.androidx-startup" tools:node="remove" /> + + <meta-data + android:name="io.flutter.network-policy" + android:resource="@xml/network_security_config" /> </application> diff --git a/mobile/android/app/src/main/res/xml/network_security_config.xml b/mobile/android/app/src/main/res/xml/network_security_config.xml new file mode 100644 index 000000000..d20fb8331 --- /dev/null +++ b/mobile/android/app/src/main/res/xml/network_security_config.xml @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="utf-8"?> +<network-security-config> + <base-config> + <trust-anchors> + <certificates src="system" /> + <certificates src="user" /> + </trust-anchors> + </base-config> +</network-security-config> ``` but I think it may trigger a Play Store warning.

OVERLORD commented 2026-02-05 03:30:19 +03:00

Author

Owner

Copy Link

@nani8ot commented on GitHub (Dec 6, 2024):

With Immich 1.22.0, the Android client crashes after a few seconds when trying to play remote videos on a server with mTLS/client certificates.

@nani8ot commented on GitHub (Dec 6, 2024): With Immich 1.22.0, the Android client crashes after a few seconds when trying to play remote videos on a server with mTLS/client certificates.

OVERLORD commented 2026-02-05 03:30:24 +03:00

Author

Owner

Copy Link

@alextran1502 commented on GitHub (Dec 6, 2024):

@mertalev looks like we have to pass this info into the player somehow

@alextran1502 commented on GitHub (Dec 6, 2024): @mertalev looks like we have to pass this info into the player somehow

OVERLORD commented 2026-02-05 03:30:27 +03:00

Author

Owner

Copy Link

@mertalev commented on GitHub (Dec 6, 2024):

This is unfortunately a bit out of my wheelhouse. I'm happy to review a PR for native_video_player that fixes this issue, but I'm not the best person to make this PR.

@mertalev commented on GitHub (Dec 6, 2024): This is unfortunately a bit out of my wheelhouse. I'm happy to review a PR for [native_video_player](https://github.com/immich-app/native_video_player) that fixes this issue, but I'm not the best person to make this PR.

OVERLORD commented 2026-02-05 03:30:31 +03:00

Author

Owner

Copy Link

@rovo89 commented on GitHub (Dec 7, 2024):

I'm happy to review a PR for native_video_player that fixes this issue, but I'm not the best person to make this PR.

Could you make it easier to see which code Immich actually uses? The main branch hasn't been updated for quite some time, but there are various feature branches. I assume it's feat/exoplayer? Maybe merge that into main and delete obsolete/merged branches?

@rovo89 commented on GitHub (Dec 7, 2024): > I'm happy to review a PR for [native_video_player](https://github.com/immich-app/native_video_player) that fixes this issue, but I'm not the best person to make this PR. Could you make it easier to see which code Immich actually uses? The main branch hasn't been updated for quite some time, but there are various feature branches. I assume it's feat/exoplayer? Maybe merge that into main and delete obsolete/merged branches?

OVERLORD commented 2026-02-05 03:30:37 +03:00

Author

Owner

Copy Link

@mertalev commented on GitHub (Dec 7, 2024):

You're right, feat/exoplayer is the relevant branch. I merged it into main and did some cleanup.

@mertalev commented on GitHub (Dec 7, 2024): You're right, `feat/exoplayer` is the relevant branch. I merged it into main and did some cleanup.

OVERLORD commented 2026-02-05 03:30:42 +03:00

Author

Owner

Copy Link

@squanbo commented on GitHub (Dec 10, 2024):

I encountered the same issue when using a reverse proxy. I am using a self-signed certificate and have enabled the 'Allow self-signed certificates' option in the settings. When opening a video on the Android client, the app crashes.
`ApiException 400: TLS/SSL communication failed: GET /partners (Inner exception: HandshakeException: Handshake error in client (OS Error:
CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:393)))

#0 _SecureFilterImpl._handshake (dart:io-patch/secure_socket_patch.dart:99)
#1 _SecureFilterImpl.handshake (dart:io-patch/secure_socket_patch.dart:143)
#2 _RawSecureSocket._secureHandshake (dart:io/secure_socket.dart:920)
#3 _RawSecureSocket._tryFilter (dart:io/secure_socket.dart:1049)
`

@squanbo commented on GitHub (Dec 10, 2024): I encountered the same issue when using a reverse proxy. I am using a self-signed certificate and have enabled the 'Allow self-signed certificates' option in the settings. When opening a video on the Android client, the app crashes. `ApiException 400: TLS/SSL communication failed: GET /partners (Inner exception: HandshakeException: Handshake error in client (OS Error: CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:393))) #0 _SecureFilterImpl._handshake (dart:io-patch/secure_socket_patch.dart:99) #1 _SecureFilterImpl.handshake (dart:io-patch/secure_socket_patch.dart:143) #2 _RawSecureSocket._secureHandshake (dart:io/secure_socket.dart:920) #3 _RawSecureSocket._tryFilter (dart:io/secure_socket.dart:1049) <asynchronous suspension>`

OVERLORD commented 2026-02-05 03:30:46 +03:00

Author

Owner

Copy Link

@rovo89 commented on GitHub (Dec 10, 2024):

Of course I'd like to have support for remote videos, but even if this doesn't get added immediately, at least the crash should be fixed... I assume this might also affect other situations where the connection failed.

@rovo89 commented on GitHub (Dec 10, 2024): Of course I'd like to have support for remote videos, but even if this doesn't get added immediately, at least the crash should be fixed... I assume this might also affect other situations where the connection failed.

OVERLORD commented 2026-02-05 03:30:49 +03:00

Author

Owner

Copy Link

@ipnetxyz commented on GitHub (Dec 18, 2024):

Here is my workaround, I hope this helps a bit.

I can confirm it has nothing to do with transcoding, as already mentioned above.

I have my own PKI CA (using certstrap app), using Caddy as reverse proxy and having the self-signed certificated by my CA.
In Immich, if I try to login with the https reverse proxy URL, I cannot (it throws an error) unless I enable "Allow self-signed SSL certificates". If I enable this setting in Immich mobile app, I can login but the videos do not load (basically just a static image and cannot "play" them).

What I did (and this is on iOS ecosystem, but I think will work on Android) to overcome this issue, is that I installed the PKI CA certificate on iOS. I just attached the CA certificate to an email send to myself and once I open the attachment the iOS is asking if I want to install the profile attached to the CA (with warnings that this is insecure because self-signed, etc..)
Once install, in the Setting > Certificate Trust Settings I need to enable the trust for my CA certificate.

Then Immich app allow me to login to the https reverse proxy URL without enabling "allow self-signed SSL certificates".
Videos work fine on Immich app after going through the above.

Not an expert here, but I think the player has a problem with "self-signed SSL certificates" without a CA certificate trusted (even if this CA is also self-signed").

Hope this helps!

@ipnetxyz commented on GitHub (Dec 18, 2024): Here is my workaround, I hope this helps a bit. I can confirm it has nothing to do with transcoding, as already mentioned above. I have my own PKI CA (using certstrap app), using Caddy as reverse proxy and having the self-signed certificated by my CA. In Immich, if I try to login with the https reverse proxy URL, I cannot (it throws an error) unless I enable "Allow self-signed SSL certificates". If I enable this setting in Immich mobile app, I can login _but_ the videos do not load (basically just a static image and cannot "play" them). What I did (and this is on iOS ecosystem, but I think will work on Android) to overcome this issue, is that I installed the PKI CA certificate on iOS. I just attached the CA certificate to an email send to myself and once I open the attachment the iOS is asking if I want to install the profile attached to the CA (with warnings that this is insecure because self-signed, etc..) Once install, in the Setting > Certificate Trust Settings I need to enable the trust for my CA certificate. Then Immich app allow me to login to the https reverse proxy URL _without_ enabling "allow self-signed SSL certificates". Videos work fine on Immich app after going through the above. Not an expert here, but I think the player has a problem with "self-signed SSL certificates" without a CA certificate trusted (even if this CA is also self-signed"). Hope this helps!

OVERLORD commented 2026-02-05 03:30:54 +03:00

Author

Owner

Copy Link

@phipz commented on GitHub (Jan 9, 2025):

This issue is still open and persisting.

For me, on Immich iOS:
Video playback via the HTTP port works.
Video playback via the HTTPS reverse proxy does not work, while Login/Browsing works.

Allow-self-signed SSL Certificates is on.

My SSL certificate is from Let's Encrypt for my public domain, while I dial in with the local IP address (hence an SSL error for the hostname mismatch, which should normally be skipped with the above setting turned ON).

@phipz commented on GitHub (Jan 9, 2025): This issue is still open and persisting. For me, on Immich iOS: Video playback via the HTTP port works. Video playback via the HTTPS reverse proxy does not work, while Login/Browsing works. Allow-self-signed SSL Certificates is on. My SSL certificate is from Let's Encrypt for my public domain, while I dial in with the local IP address (hence an SSL error for the hostname mismatch, which should normally be skipped with the above setting turned ON).

OVERLORD commented 2026-02-05 03:30:59 +03:00

Author

Owner

Copy Link

@ckuyehar commented on GitHub (Jan 10, 2025):

@phipz - i just created a guide documenting how to securely setup TLS reverse proxy on the Internet for anywhere Immich mobile app use.

you can review these docs, https://github.com/ckuyehar/immich/blob/ckuyehar-docs-updates/docs/docs/guides/remote-access.md and https://github.com/ckuyehar/immich/blob/ckuyehar-docs-updates/docs/docs/administration/reverse-proxy-tls.md

please note: this doesn't resolve the issue - this merely works around the existing capabilities of Immich today

@ckuyehar commented on GitHub (Jan 10, 2025): @phipz - i just created a guide documenting how to securely setup TLS reverse proxy on the Internet for anywhere Immich mobile app use. you can review these docs, https://github.com/ckuyehar/immich/blob/ckuyehar-docs-updates/docs/docs/guides/remote-access.md and https://github.com/ckuyehar/immich/blob/ckuyehar-docs-updates/docs/docs/administration/reverse-proxy-tls.md please note: this doesn't resolve the issue - this merely works around the existing capabilities of Immich today

OVERLORD commented 2026-02-05 03:31:07 +03:00

Author

Owner

Copy Link

@rovo89 commented on GitHub (Jan 10, 2025):

Remote video playback and image download are failing for me on Android because I have mTLS configured (with a proper Let's Encrypt certificate). My wife is getting more and more annoyed about this and said she would rather pay for Google Photos than continue to live with these limitations (especially the video)... which I don't want, so I started looking into this myself.

A major problem seems to be the many levels of abstraction and different packages used. Flutter (using Dart), Jetpack, Android framework... that make it hard to follow the call chain and pass the required information down to the places where connections are actually used.

For most parts of the app, Immich uses HttpSSLCertOverride to set the client certificate and allow self-signed certificates (for the Immich server host only), which is set globally here. But I think that only applies to places where Dart's standard HttpClient class is used. Under the hood, I think it makes adjustments to OpenSSL's SSLCertContext which is wrapped by Dart's SecurityContext. My understanding is that the native HTTP client isn't involved at all here, but OpenSSL is used directly.

The video player seems to use the Android native HTTP client which is created here. DefaultHttpDataSource comes from here and uses HttpURLConnection. IIUC, Android uses a customized OpenJDK with their own handlers, in this case com.android.okhttp.HttpsHandler. This seems to be the place where they set SSL options, which uses HttpsURLConnection.getDefaultSSLSocketFactory(). I haven't tracked it down completely yet, but I think SSLContext.init() is where a client certificate would be specified.

I have just written this down to understand the current flow and maybe get corrections from someone. Next step would be finding a way to pass the client certificate to the appropriate place without breaking abstraction... Maybe it would be sufficient to set call HttpsURLConnection.setDefaultSSLSocketFactory() in Immich code?

For completeness, the download library has some code to accept untrusted certificates which calls exactly that method with an accept-all trust manager, indicating that it could profit from this approach as well.

@rovo89 commented on GitHub (Jan 10, 2025): Remote video playback and image download are failing for me on Android because I have mTLS configured (with a proper Let's Encrypt certificate). My wife is getting more and more annoyed about this and said she would rather pay for Google Photos than continue to live with these limitations (especially the video)... which I don't want, so I started looking into this myself. A major problem seems to be the many levels of abstraction and different packages used. Flutter (using Dart), Jetpack, Android framework... that make it hard to follow the call chain and pass the required information down to the places where connections are actually used. For most parts of the app, Immich uses [HttpSSLCertOverride](https://github.com/immich-app/immich/blob/main/mobile/lib/utils/http_ssl_cert_override.dart) to set the client certificate and allow self-signed certificates (for the Immich server host only), which is set globally [here](https://github.com/immich-app/immich/blob/7d50d3032bff9c32c1d001ce40ac184444009d5b/mobile/lib/main.dart#L51). But I think that only applies to places where Dart's standard [HttpClient](https://api.flutter.dev/flutter/dart-io/HttpClient-class.html) class is used. Under the hood, I think it makes [adjustments](https://github.com/dart-lang/sdk/blob/4bcd8c2b8ce56756dbe7dd762af7f9322a777402/runtime/bin/security_context.cc#L797) to OpenSSL's SSLCertContext which is wrapped by Dart's SecurityContext. My understanding is that the native HTTP client isn't involved at all here, but OpenSSL is used directly. The video player seems to use the Android native HTTP client which is created [here](https://github.com/immich-app/native_video_player/blob/05ad661b338dad1a5cdac099630e6add351a708b/android/src/main/kotlin/me/albemala/native_video_player/NativeVideoPlayerViewController.kt#L74). DefaultHttpDataSource comes from [here](https://github.com/androidx/media/blob/release/libraries/datasource/src/main/java/androidx/media3/datasource/DefaultHttpDataSource.java) and uses [HttpURLConnection](https://github.com/androidx/media/blob/76088cd6af7f263aba238b7a48d64bd4f060cb8b/libraries/datasource/src/main/java/androidx/media3/datasource/DefaultHttpDataSource.java#L610). IIUC, Android uses a customized OpenJDK with their own [handlers](https://android.googlesource.com/platform/libcore/+/5738890c2aed47e7d6bc4516f9e07931e2a21bdb/ojluni/src/main/java/java/net/URL.java#1286), in this case [com.android.okhttp.HttpsHandler](https://android.googlesource.com/platform/external/okhttp/+/refs/heads/main/android/src/main/java/com/squareup/okhttp/HttpsHandler.java). [This](https://android.googlesource.com/platform/external/okhttp/+/refs/heads/main/android/src/main/java/com/squareup/okhttp/HttpsHandler.java#92) seems to be the place where they set SSL options, which uses HttpsURLConnection.getDefaultSSLSocketFactory(). I haven't tracked it down completely yet, but I think SSLContext.init() is where a client certificate would be specified. I have just written this down to understand the current flow and maybe get corrections from someone. Next step would be finding a way to pass the client certificate to the appropriate place without breaking abstraction... Maybe it would be sufficient to set call HttpsURLConnection.setDefaultSSLSocketFactory() in Immich code? For completeness, the download library has [some code](https://github.com/781flyingdutchman/background_downloader/blob/main/android/src/main/kotlin/com/bbflight/background_downloader/Helpers.kt) to accept untrusted certificates which calls exactly that method with an accept-all trust manager, indicating that it could profit from this approach as well.

OVERLORD commented 2026-02-05 03:31:11 +03:00

Author

Owner

Copy Link

@alextran1502 commented on GitHub (Jan 10, 2025):

@rovo89 what are the differences of your setup vs a more traditional reverse proxy setup with Let's Encrypt generating SSL certificate? I am asking because the route that most users take doesn't run into this issue

@alextran1502 commented on GitHub (Jan 10, 2025): @rovo89 what are the differences of your setup vs a more traditional reverse proxy setup with Let's Encrypt generating SSL certificate? I am asking because the route that most users take doesn't run into this issue

OVERLORD commented 2026-02-05 03:31:15 +03:00

Author

Owner

Copy Link

@rovo89 commented on GitHub (Jan 10, 2025):

I use client certificates (aka. mTLS) for all the stuff hosted on my home server. If a device doesn't present its valid certificate, the connection is canceled already during the handshake. That gives me some peace of mind because I don't need to care much about the security of all the stuff I host, I can be very sure that this first line of defense won't even let attackers see a password prompt or anything. And since my browser is configured to automatically choose the client certificate for everything under the my domain, it's transparent for me.

A few versions back, support for uploading client certificates was added to the mobile app, so I take it that such a setup isn't completely out of focus, but it's not 100% complete. And with two kids, watching the videos my partner took on her phone is a rather frequent thing, which brings it close to a show-stopper for us.

@rovo89 commented on GitHub (Jan 10, 2025): I use client certificates (aka. mTLS) for all the stuff hosted on my home server. If a device doesn't present its valid certificate, the connection is canceled already during the handshake. That gives me some peace of mind because I don't need to care much about the security of all the stuff I host, I can be very sure that this first line of defense won't even let attackers see a password prompt or anything. And since my browser is configured to automatically choose the client certificate for everything under the my domain, it's transparent for me. A few versions back, support for uploading client certificates was added to the mobile app, so I take it that such a setup isn't completely out of focus, but it's not 100% complete. And with two kids, watching the videos my partner took on her phone is a rather frequent thing, which brings it close to a show-stopper for us.

OVERLORD commented 2026-02-05 03:31:18 +03:00

Author

Owner

Copy Link

@rovo89 commented on GitHub (Jan 10, 2025):

Oh, and I do use a wildcard certificate from Let's Encrypt for my domain and subdomains for all the hosted services. The server certificate isn't the problem, the client certificate is (which is using a simple self-operated CA, but that shouldn't matter).

@rovo89 commented on GitHub (Jan 10, 2025): Oh, and I do use a wildcard certificate from Let's Encrypt for my domain and subdomains for all the hosted services. The server certificate isn't the problem, the client certificate is (which is using a simple self-operated CA, but that shouldn't matter).

OVERLORD commented 2026-02-05 03:31:27 +03:00

Author

Owner

Copy Link

@amigthea commented on GitHub (Jan 10, 2025):

@rovo89 what are the differences of your setup vs a more traditional reverse proxy setup with Let's Encrypt generating SSL certificate? I am asking because the route that most users take doesn't run into this issue

I was worried when I migrated to immich because of this mTLS issue, but I have the scenario you described (let's encrypt for server certificates and mTLS, with self signed CA, for client) and I can play video remotely with no problem. Is the OP problem related only to mTLS and self signed server certificate?

@amigthea commented on GitHub (Jan 10, 2025): > @rovo89 what are the differences of your setup vs a more traditional reverse proxy setup with Let's Encrypt generating SSL certificate? I am asking because the route that most users take doesn't run into this issue I was worried when I migrated to immich because of this mTLS issue, but I have the scenario you described (let's encrypt for server certificates and mTLS, with self signed CA, for client) and <strike>I can play video remotely with no problem</strike>. Is the OP problem related only to mTLS and self signed server certificate?

OVERLORD commented 2026-02-05 03:31:30 +03:00

Author

Owner

Copy Link

@rovo89 commented on GitHub (Jan 10, 2025):

Huh, that's strange. Are you on Android as well? For me the app crashes after a few seconds whenever I try to watch a video that's not on my device (either taken by my partner or deleted locally). Before the switch to the new video player, it just had a black screen.

Unfortunately there are multiple scenarios described in this issue, making it a bit hard to follow. Multiple issues have been reported in the past months, but I think they have all been closed as duplicates of this one.

@rovo89 commented on GitHub (Jan 10, 2025): Huh, that's strange. Are you on Android as well? For me the app crashes after a few seconds whenever I try to watch a video that's not on my device (either taken by my partner or deleted locally). Before the switch to the new video player, it just had a black screen. Unfortunately there are multiple scenarios described in this issue, making it a bit hard to follow. Multiple issues have been reported in the past months, but I think they have all been closed as duplicates of this one.

OVERLORD commented 2026-02-05 03:31:33 +03:00

Author

Owner

Copy Link

@ktm-91 commented on GitHub (Jan 10, 2025):

I was worried when I migrated to immich because of this mTLS issue, but I have the scenario you described (let's encrypt for server certificates and mTLS, with self signed CA, for client) and I can play video remotely with no problem. Is the OP problem related only to mTLS and self signed server certificate?

I have only server certificate (no mTLS), generated by Let's Encrypt, and I cannot play videos from the Android app (since a few version updates it crashes when I try)

@ktm-91 commented on GitHub (Jan 10, 2025): > I was worried when I migrated to immich because of this mTLS issue, but I have the scenario you described (let's encrypt for server certificates and mTLS, with self signed CA, for client) and I can play video remotely with no problem. Is the OP problem related only to mTLS and self signed server certificate? I have only server certificate (no mTLS), generated by Let's Encrypt, and I cannot play videos from the Android app (since a few version updates it crashes when I try)

OVERLORD commented 2026-02-05 03:31:36 +03:00

Author

Owner

Copy Link

@amigthea commented on GitHub (Jan 10, 2025):

Huh, that's strange. Are you on Android as well? For me the app crashes after a few seconds whenever I try to watch a video that's not on my device (either taken by my partner or deleted locally). Before the switch to the new video player, it just had a black screen.

Unfortunately there are multiple scenarios described in this issue, making it a bit hard to follow. Multiple issues have been reported in the past months, but I think they have all been closed as duplicates of this one.

android 14, oneplus 9 pro, Immich app v.1.230.0
of course tested on a video that's on my backup server only

I have only server certificate (no mTLS), generated by Let's Encrypt, and I cannot play videos from the Android app (since a few version updates it crashes when I try)

that's really weird, I agree with @rovo89, those all seems different scenarios

@amigthea commented on GitHub (Jan 10, 2025): > Huh, that's strange. Are you on Android as well? For me the app crashes after a few seconds whenever I try to watch a video that's not on my device (either taken by my partner or deleted locally). Before the switch to the new video player, it just had a black screen. > > Unfortunately there are multiple scenarios described in this issue, making it a bit hard to follow. Multiple issues have been reported in the past months, but I think they have all been closed as duplicates of this one. android 14, oneplus 9 pro, Immich app v.1.230.0 of course tested on a video that's on my backup server only > I have only server certificate (no mTLS), generated by Let's Encrypt, and I cannot play videos from the Android app (since a few version updates it crashes when I try) that's really weird, I agree with @rovo89, those all seems different scenarios

OVERLORD commented 2026-02-05 03:31:39 +03:00

Author

Owner

Copy Link

@ryan77627 commented on GitHub (Jan 10, 2025):

Huh, that's strange. Are you on Android as well? For me the app crashes after a few seconds whenever I try to watch a video that's not on my device (either taken by my partner or deleted locally). Before the switch to the new video player, it just had a black screen.

Same here, using a standard reverse proxy setup through Caddy with the exception being a custom CA (self-hosted), no mTLS. I am trying to get some logs, but I cannot get any to show up in the built-in logger. When I have some time (moving for school currently) I'll try to get the logs through logcat directly since this is an entire app crash.

@ryan77627 commented on GitHub (Jan 10, 2025): > Huh, that's strange. Are you on Android as well? For me the app crashes after a few seconds whenever I try to watch a video that's not on my device (either taken by my partner or deleted locally). Before the switch to the new video player, it just had a black screen. Same here, using a standard reverse proxy setup through Caddy with the exception being a custom CA (self-hosted), no mTLS. I am trying to get some logs, but I cannot get any to show up in the built-in logger. When I have some time (moving for school currently) I'll try to get the logs through logcat directly since this is an entire app crash.

OVERLORD commented 2026-02-05 03:31:45 +03:00

Author

Owner

Copy Link

@amigthea commented on GitHub (Jan 10, 2025):

errata corrige
I tried to backup a new video, delete it from my phone, and play it remotely over mTLS: the app crash after a brief loading screen, the same is happening with the old video, must have messed up the first try somehow

@amigthea commented on GitHub (Jan 10, 2025): errata corrige I tried to backup a new video, delete it from my phone, and play it remotely over mTLS: the app crash after a brief loading screen, the same is happening with the old video, must have messed up the first try somehow

OVERLORD commented 2026-02-05 03:31:48 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Jan 10, 2025):

First, the issue is related to having your own PKI for services exposed behind a proxy.

Android app is trying to play a video uploaded into Immich, and deleted locally to save space on your mobile. See this comment.
If you have the video on your phone you will not see this bug.

I am using a reverse proxy (Caddy) to terminate SSL/TLS connections, which offloads the encryption and decryption processes from a part of my backend services including Immich.

I am not exposing the services outside, on internet, so no need to maintain both a PKI infrastructure and Lent's encrypt periodic renewal (cert manager or something else).

I imported as trusted certificate the self signed root certificate on all devices that wants to use the services behind the proxy.

I strongly think that the bug is in flutter videoplayer, as I investigated a bit in detail at that time.
Someone, already commented here that indeed this could be the problem.

Other comments to previous comments:

Would be interesting to see how one can use mTLS with Let's Encrypt certificates.
Let's Encrypt certificates support the "TLS Client Authentication" feature, allowing them to be used for client authentication in theory. However, this is often not the most suitable option for most scenarios. It's important to ensure that your system doesn't indiscriminately accept any certificate issued by Let's Encrypt. In such cases, it may be more effective to use your own private Certificate Authority (CA).
Also Let's Encrypt issue certificates with fix profiles which typically ins not suitable for client authentication.

The mTLS is more used in context of secure communication between two or more trusting services (service mesh). Of course you can use also between your client devices (apps, or browsers) and a service or proxy.

@amitrea commented on GitHub (Jan 10, 2025): First, the issue is related to having your own PKI for services exposed behind a proxy. **Android** app is trying to play a video uploaded into Immich, and **deleted locally** to save space on your mobile. See [this comment](https://github.com/immich-app/immich/issues/5553#issuecomment-1847470157). If you have the video on your phone you will not see this bug. I am using a reverse proxy (Caddy) to terminate SSL/TLS connections, which offloads the encryption and decryption processes from a part of my backend services including Immich. I am not exposing the services outside, on internet, so no need to maintain both a PKI infrastructure and Lent's encrypt periodic renewal (cert manager or something else). I imported as trusted certificate the self signed root certificate on all devices that wants to use the services behind the proxy. I strongly think that the bug is in flutter videoplayer, as I investigated a bit in detail at that time. Someone, already commented here that indeed this could be the problem. **Other comments to previous comments:** Would be interesting to see how one can use mTLS with Let's Encrypt certificates. Let's Encrypt certificates support the "TLS Client Authentication" feature, allowing them to be used for client authentication in theory. However, this is often not the most suitable option for most scenarios. It's important to ensure that your system doesn't indiscriminately accept any certificate issued by Let's Encrypt. In such cases, it may be more effective to use your own private Certificate Authority (CA). Also Let's Encrypt issue certificates with fix profiles which typically ins not suitable for client authentication. The mTLS is more used in context of secure communication between two or more trusting services (service mesh). Of course you can use also between your client devices (apps, or browsers) and a service or proxy.

OVERLORD commented 2026-02-05 03:31:54 +03:00

Author

Owner

Copy Link

@alextran1502 commented on GitHub (Jan 10, 2025):

I think this issue is related to different HTTP clients used in the video player. So ideally, the way to fix this issue is to pass the HTTP client with the certificate to all requests, including the video player.

@rovo89 For wife-approval-factor, maybe you can set up a VPN for her?

@alextran1502 commented on GitHub (Jan 10, 2025): I think this issue is related to different HTTP clients used in the video player. So ideally, the way to fix this issue is to pass the HTTP client with the certificate to all requests, including the video player. @rovo89 For wife-approval-factor, maybe you can set up a VPN for her?

OVERLORD commented 2026-02-05 03:31:57 +03:00

Author

Owner

Copy Link

@ryan77627 commented on GitHub (Jan 10, 2025):

@amitrea Ah, apologies. I thought the Native Player was supposed to fix the self-managed PKI issues we had. I've been loosely following this issue for the past 7-ish months, but haven't been keeping up to date. I'd prefer to just use my own certs, but I could provision public certificates and use them if need be. Anyways, @alextran1502 I have some logs, I do not know how useful they are. Seems the app crash stems from ExoPlayer running into a source issue (stemming from the TLS stuff). App crashes presumably because it cannot handle whatever ExoPlayer returns to it (again, hard to tell because the installed app seems to be minified. If there are debug builds somewhere let me know).

Immich crash:

FATAL EXCEPTION: main
Process: app.alextran.immich, PID: 28260
java.lang.ClassCastException: h0.q cannot be cast to java.lang.Error
	at E5.b.k0(Unknown Source:35)
	at j0.i0.C1(Unknown Source:2)
	at j0.i0.c0(Unknown Source:0)
	at j0.g0.b(Unknown Source:4)
	at f0.n$c.a(Unknown Source:17)
	at f0.n.h(Unknown Source:16)
	at f0.n.a(Unknown Source:0)
	at f0.m.run(Unknown Source:6)
	at f0.n.f(Unknown Source:67)
	at j0.i0.f2(Unknown Source:422)
	at j0.i0.n1(Unknown Source:192)
	at j0.i0.s1(Unknown Source:0)
	at j0.i0.m0(Unknown Source:0)
	at j0.Y.run(Unknown Source:4)
	at android.os.Handler.handleCallback(Handler.java:991)
	at android.os.Handler.dispatchMessage(Handler.java:102)
	at android.os.Looper.loopOnce(Looper.java:232)
	at android.os.Looper.loop(Looper.java:317)
	at android.app.ActivityThread.main(ActivityThread.java:8787)
	at java.lang.reflect.Method.invoke(Native Method)
	at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:591)
	at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:871)

ExoPlayer dump uploaded in file.
10_01-10-26-46_521.log

@ryan77627 commented on GitHub (Jan 10, 2025): @amitrea Ah, apologies. I thought the Native Player was supposed to fix the self-managed PKI issues we had. I've been loosely following this issue for the past 7-ish months, but haven't been keeping up to date. I'd prefer to just use my own certs, but I could provision public certificates and use them if need be. Anyways, @alextran1502 I have some logs, I do not know how useful they are. Seems the app crash stems from ExoPlayer running into a source issue (stemming from the TLS stuff). App crashes presumably because it cannot handle whatever ExoPlayer returns to it (again, hard to tell because the installed app seems to be minified. If there are debug builds somewhere let me know). Immich crash: ``` FATAL EXCEPTION: main Process: app.alextran.immich, PID: 28260 java.lang.ClassCastException: h0.q cannot be cast to java.lang.Error at E5.b.k0(Unknown Source:35) at j0.i0.C1(Unknown Source:2) at j0.i0.c0(Unknown Source:0) at j0.g0.b(Unknown Source:4) at f0.n$c.a(Unknown Source:17) at f0.n.h(Unknown Source:16) at f0.n.a(Unknown Source:0) at f0.m.run(Unknown Source:6) at f0.n.f(Unknown Source:67) at j0.i0.f2(Unknown Source:422) at j0.i0.n1(Unknown Source:192) at j0.i0.s1(Unknown Source:0) at j0.i0.m0(Unknown Source:0) at j0.Y.run(Unknown Source:4) at android.os.Handler.handleCallback(Handler.java:991) at android.os.Handler.dispatchMessage(Handler.java:102) at android.os.Looper.loopOnce(Looper.java:232) at android.os.Looper.loop(Looper.java:317) at android.app.ActivityThread.main(ActivityThread.java:8787) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:591) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:871) ``` ExoPlayer dump uploaded in file. [10_01-10-26-46_521.log](https://github.com/user-attachments/files/18379181/10_01-10-26-46_521.log)

OVERLORD commented 2026-02-05 03:31:59 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Jan 10, 2025):

Dear all,

At the time I identified this issue, with the investigation I made, I stopped using the Android application. After a while, seeing not too much interest for it, I stopped following this issue.

Today was an avalanche of messages and was curious 🤨 . Only after @ryan77627 replied, I read a bit what happened here and saw somebody already merged a fix for the Android player.

I then said to download the Android App again and set it back to connect to my Immich instance through the Caddy proxy, using this time the "https://" schema and the same private PKI (with the root certificated added to my android as trusted).

It seems that now I can play remote videos from Immich server, videos that are not locally on my mobile and using https with my own/private PKI.

Thank you to the people that worked on the fix, finally :)

Thank you @yan77627. Your message made me decide to test the app again, so no need to apologise. 🤨

@alextran1502 and the team, you can consider closing this issue as well, form my point of view.

If other issues, as other mentioned here, then maybe they need to create a new issue.

If you want to close it I am happy to do it. Just please let me know.

@amitrea commented on GitHub (Jan 10, 2025): Dear all, At the time I identified this issue, with the investigation I made, I stopped using the Android application. After a while, seeing not too much interest for it, I stopped following this issue. Today was an avalanche of messages and was curious 🤨 . Only after @ryan77627 replied, I read a bit what happened here and saw somebody already merged a fix for the Android player. I then said to download the Android App again and set it back to connect to my Immich instance through the Caddy proxy, using this time the "https://" schema and the same private PKI (with the root certificated added to my android as trusted). It seems that now I can play remote videos from Immich server, videos that are not locally on my mobile and using https with my own/private PKI. Thank you to the people that worked on the fix, finally :) Thank you @yan77627. Your message made me decide to test the app again, so no need to apologise. 🤨 @alextran1502 and the team, you can consider closing this issue as well, form my point of view. If other issues, as other mentioned here, then maybe they need to create a new issue. If you want to close it I am happy to do it. Just please let me know.

OVERLORD commented 2026-02-05 03:32:03 +03:00

Author

Owner

Copy Link

@alextran1502 commented on GitHub (Jan 10, 2025):

Closing this issue per the OP's request. If others are interested. Please help us open a new issue with your setup

@alextran1502 commented on GitHub (Jan 10, 2025): Closing this issue per the OP's request. If others are interested. Please help us open a new issue with your setup

OVERLORD commented 2026-02-05 03:32:07 +03:00

Author

Owner

Copy Link

@ktm-91 commented on GitHub (Jan 10, 2025):

Dear all,

At the time I identified this issue, with the investigation I made, I stopped using the Android application. After a while, seeing not too much interest for it, I stopped following this issue.

Today was an avalanche of messages and was curious 🤨 . Only after @ryan77627 replied, I read a bit what happened here and saw somebody already merged a fix for the Android player.

I then said to download the Android App again and set it back to connect to my Immich instance through the Caddy proxy, using this time the "https://" schema and the same private PKI (with the root certificated added to my android as trusted).

It seems that now I can play remote videos from Immich server, videos that are not locally on my mobile and using https with my own/private PKI.

Thank you to the people that worked on the fix, finally :)

Thank you @yan77627. Your message made me decide to test the app again, so no need to apologise. 🤨

@alextran1502 and the team, you can consider closing this issue as well, form my point of view.

If other issues, as other mentioned here, then maybe they need to create a new issue.

If you want to close it I am happy to do it. Just please let me know.

Sorry but I don't understand... I just tried to uninstall and reinstall the Android app, but the bug is still there: when I try to play a video present on Immich server, through a TLS reverse proxy (HAProxy in my case), the app crashes. It's the same bug present since more than a year ago.
I'm using the latest versions of both the Android app and the Immich server

@ktm-91 commented on GitHub (Jan 10, 2025): > Dear all, > > At the time I identified this issue, with the investigation I made, I stopped using the Android application. After a while, seeing not too much interest for it, I stopped following this issue. > > Today was an avalanche of messages and was curious 🤨 . Only after @ryan77627 replied, I read a bit what happened here and saw somebody already merged a fix for the Android player. > > I then said to download the Android App again and set it back to connect to my Immich instance through the Caddy proxy, using this time the "https://" schema and the same private PKI (with the root certificated added to my android as trusted). > > It seems that now I can play remote videos from Immich server, videos that are not locally on my mobile and using https with my own/private PKI. > > Thank you to the people that worked on the fix, finally :) > > Thank you @yan77627. Your message made me decide to test the app again, so no need to apologise. 🤨 > > @alextran1502 and the team, you can consider closing this issue as well, form my point of view. > > If other issues, as other mentioned here, then maybe they need to create a new issue. > > If you want to close it I am happy to do it. Just please let me know. Sorry but I don't understand... I just tried to uninstall and reinstall the Android app, but the bug is still there: when I try to play a video present on Immich server, through a TLS reverse proxy (HAProxy in my case), the app crashes. It's the same bug present since more than a year ago. I'm using the latest versions of both the Android app and the Immich server

OVERLORD commented 2026-02-05 03:32:11 +03:00

Author

Owner

Copy Link

@amigthea commented on GitHub (Jan 10, 2025):

Today was an avalanche of messages and was curious 🤨 . Only after @ryan77627 replied, I read a bit what happened here and saw somebody already merged a fix for the Android player.

it still crash for me, using both TLS and mTLS through nginx

@amigthea commented on GitHub (Jan 10, 2025): > Today was an avalanche of messages and was curious 🤨 . Only after @ryan77627 replied, I read a bit what happened here and saw somebody already merged a fix for the Android player. it still crash for me, using both TLS and mTLS through nginx

OVERLORD commented 2026-02-05 03:32:16 +03:00

Author

Owner

Copy Link

@ckuyehar commented on GitHub (Jan 10, 2025):

It seems that now I can play remote videos from Immich server, videos that are not locally on my mobile and using https with my own/private PKI.

@amitrea

• What version of the mobile app are you using?
• Try downloading an image that doesn't exist on your phone. Success?

@ckuyehar commented on GitHub (Jan 10, 2025): > It seems that now I can play remote videos from Immich server, videos that are not locally on my mobile and using https with my own/private PKI. @amitrea * What version of the mobile app are you using? * Try downloading an image that doesn't exist on your phone. Success?

OVERLORD commented 2026-02-05 03:32:21 +03:00

Author

Owner

Copy Link

@bo0tzz commented on GitHub (Jan 10, 2025):

We're now tracking any unusual networking things like this in #15230.

@bo0tzz commented on GitHub (Jan 10, 2025): We're now tracking any unusual networking things like this in #15230.

OVERLORD commented 2026-02-05 03:32:24 +03:00

Author

Owner

Copy Link

@amitrea commented on GitHub (Jan 11, 2025):

It seems that now I can play remote videos from Immich server, videos that are not locally on my mobile and using https with my own/private PKI.

@amitrea

• What version of the mobile app are you using?
• Try downloading an image that doesn't exist on your phone. Success?

I am using Android app version 1.124.0.build.173
Server version: 1.123.0

@amitrea commented on GitHub (Jan 11, 2025): > > It seems that now I can play remote videos from Immich server, videos that are not locally on my mobile and using https with my own/private PKI. > > @amitrea > > * What version of the mobile app are you using? > * Try downloading an image that doesn't exist on your phone. Success? I am using Android app version 1.124.0.build.173 Server version: 1.123.0

OVERLORD commented 2026-02-05 03:32:28 +03:00

Author

Owner

Copy Link

@Sprinter05 commented on GitHub (Feb 9, 2025):

Can confirm the issue still perstists though now the Android app just keeps loading forever instead of crashing.
I am using Nginx Reverse Proxy with a self signed SSL certificate.
Android app Version: 1.125.5 build.181
Server Version: 1.125.7

@Sprinter05 commented on GitHub (Feb 9, 2025): Can confirm the issue still perstists though now the Android app just keeps loading forever instead of crashing. I am using Nginx Reverse Proxy with a self signed SSL certificate. Android app Version: 1.125.5 build.181 Server Version: 1.125.7

OVERLORD commented 2026-02-05 03:32:32 +03:00

Author

Owner

Copy Link

@SvenVD commented on GitHub (Mar 3, 2025):

Nginx Reverse Proxy with a self signed SSL certificate. Version 1.128.0 same issue

@SvenVD commented on GitHub (Mar 3, 2025): Nginx Reverse Proxy with a self signed SSL certificate. Version 1.128.0 same issue

OVERLORD commented 2026-02-05 03:32:34 +03:00

Author

Owner

Copy Link

@felixconsulting commented on GitHub (Oct 14, 2025):

The specific error you guys are likely getting is "Trust anchor for certification path not found" as I have the same issue and can see the logs. This issue should be re-opened, still impacts me on immich stable.

@felixconsulting commented on GitHub (Oct 14, 2025): The specific error you guys are likely getting is "Trust anchor for certification path not found" as I have the same issue and can see the logs. This issue should be re-opened, still impacts me on immich stable.

OVERLORD commented 2026-02-05 03:32:39 +03:00

Author

Owner

Copy Link

@MadKillerChicken commented on GitHub (Oct 14, 2025):

Think I never actually looked at the exact error.
The issue affecting me got fixed at some point.

Some context:
I'm running Immich with Docker behind Traefik using self-signed certificates (obviously). It also isn't exposed to the internet, remote access happens via VPN.

-------- Original Message --------
On Tuesday, 10/14/25 at 04:35 Felix Consulting @.***> wrote:

felixconsulting left a comment (immich-app/immich#5553)

The specific error you guys are likely getting is "Trust anchor for certification path not found" as I have the same issue and can see the logs. This issue should be re-opened, still impacts me on immich stable.

—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: @.***>

@MadKillerChicken commented on GitHub (Oct 14, 2025): Think I never actually looked at the exact error. The issue affecting me got fixed at some point. Some context: I'm running Immich with Docker behind Traefik using self-signed certificates (obviously). It also isn't exposed to the internet, remote access happens via VPN. -------- Original Message -------- On Tuesday, 10/14/25 at 04:35 Felix Consulting ***@***.***> wrote: > felixconsulting left a comment [(immich-app/immich#5553)](https://github.com/immich-app/immich/issues/5553#issuecomment-3399892960) > > The specific error you guys are likely getting is "Trust anchor for certification path not found" as I have the same issue and can see the logs. This issue should be re-opened, still impacts me on immich stable. > > — > Reply to this email directly, [view it on GitHub](https://github.com/immich-app/immich/issues/5553#issuecomment-3399892960), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AES45PHGVOHLKYA5WPVRESD3XROQFAVCNFSM6AAAAACJDB5SX6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGOJZHA4TEOJWGA). > You are receiving this because you commented.Message ID: ***@***.***>

OVERLORD commented 2026-02-05 03:32:41 +03:00

Author

Owner

Copy Link

@Sprinter05 commented on GitHub (Oct 14, 2025):

I created a new SSL certificate for my DNS domain and it magically worked

@Sprinter05 commented on GitHub (Oct 14, 2025): I created a new SSL certificate for my DNS domain and it magically worked

OVERLORD commented 2026-02-05 03:32:46 +03:00

Author

Owner

Copy Link

@felixconsulting commented on GitHub (Oct 15, 2025):

I created a new SSL certificate for my DNS domain and it magically worked

Can you elaborate on this? Are you talking about putting a DNS name on the SAN of your certificate? I put my server's IP address on the SAN for it's certificate and that did not fix anything.

@felixconsulting commented on GitHub (Oct 15, 2025): > I created a new SSL certificate for my DNS domain and it magically worked Can you elaborate on this? Are you talking about putting a DNS name on the SAN of your certificate? I put my server's IP address on the SAN for it's certificate and that did not fix anything.

OVERLORD commented 2026-02-05 03:32:49 +03:00

Author

Owner

Copy Link

@Sprinter05 commented on GitHub (Oct 15, 2025):

I don't really remember the process but I'm pretty sure I didn't put the IP anywhere on the certificate, just the domain name

@Sprinter05 commented on GitHub (Oct 15, 2025): I don't really remember the process but I'm pretty sure I didn't put the IP anywhere on the certificate, just the domain name

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/asset-file-apis

chore/translations

fix/web-switch-label-clickable

fix/web-people-hidden-state

renovate/typescript-projects

release/next

fix/timezones

fix/time-zone-upserts

midzelis/wip

push-zpwsovysllvn

push-nwxlpmyzkyrl

push-nvnkszuqwppm

renovate/github-actions

push-smstsuupsowp

refactor/adaptive_image

push-olwpzvrxnomt

push-lmxsupnmxspl

renovate/machine-learning

feat/web-chromecast-video-looping

feat/use-native-clients

renovate/flutter

fix/create-face-edited

fix/mobile-ios-mtls

docs/contributing

docs/mise-mobile

renovate/grafana-monorepo

feature/bottom-buttons-order

feat/immich-mobile-ui-showcase

refactor/consolidate-image-requests

renovate/connectivity_plus-7.x

renovate/major-vitest-monorepo

renovate/pypi-python-multipart-vulnerability

fix/mobile-people-query

sqlite_thumbs

feat/html-text

chore/no-macro-validation

refactor/purchase-store

uhthomas/mobile-fix-app-bar-fade

uhthomas/mobile-fix-asset-jump

feat/pano-ocr

feat/shared-link-login

fix/database-backup-db-names

fix-keep-correct-ios-shared-album-asset

fix-memory-generation-and-display

feat/verify-permissions

refactor/album-service-small-tests

fix/ml-rocm-build

fix/flipped-dimensions-mobile

push-vpxwmwwxwnvw

fix-migration-width-height

refactor/more-queries

revert/prettier-translations

refactor/asset-service-queries

fix/locale-settings-desc

chore/add-debug-log

feat/edit-filters

shared-deep-link-handler

feat/mobile-editing

feat/thumbnail-native-clients

feat/platform-clients

feat/integrity-checks-izzy

fix/foreground-cloud-sync

feat/dynamic-layout

filter-by-person

feat/csp

refactor/sidebar

fix/disable-editing

fix/view-timeline-deeplink

image-zoom-on-slow-connection

fix-consider-dar-for-video-dimension

fix/merged-edited-assets

perf/optimize-album-sort

open-api-fix

feat/create-job-with-dto

use-toast-primary

feat/vitest-4

feat/ios-fastlane-match

match-signing

fix-update-time-update-timeline

chore/translation-keys

feat/modal-routes

feat/panorama-tiles

feature/mobile-view-asset-owner

feat/system-settings

feature/show-activity-count

better-info-in-asset-viewer

fix/all-people-count

feat/location-favorites

feature/rearrange-buttons-2

fix/download-storage-template

feat/kb-shortcuts-mobile

fix/people-count

push-qolzzzzxrvvn

chore/originals-in-asset-files

feat/asset-size-columns

ben/tree-a11y

new-search-filter-ui

refactor/expectSelectedReadonly

refactor/mobile-grdb

push-qvuktpxmkknu

feat/mobile-native-local-sync

refactor/timeline_ops

fix/scrubber_end

feat/version.txt

feat/context-menus

feat/server-chunked-uploads

refactor/virtualsegment

refactor/rename_daymonth_groups

fix/restrict-android-bg-worker

feat/android-periodic-worker

fix-remote-sync-clean-up

refactor/timeline_move_ops

renovate/mapbox-mapbox-gl-rtl-text-0.x

fix/timeline_split_selectable

feat/keyboard_actions_help_modal

feat/static_frontend

feat/notification-warnign-android

feat/plugins2

feat/plugins

test/create-workflow-token-action

fix/docs-force

debug/search-result-similarity

debug/cf-chunked-uploads

feat/eslint_rule

feat/search-filter-album/web

refactor/timeline_photostream

refactor/timelineasset_asset

feat/session-permissions

feat/timeline_photostream_assetnav

feat/timeline_minor_optimize

feat/timeline_perf_nocomp

feat/timeline_search_results_actions

feat/timeline_search_results_page

fix/timeline_padding

fix/timeline_search_reactivity_warnings

feat/timeline_scrollbar

feat/timeline_stream_withviewer

fix/timeline_back_forth_nav

refactor/timeline_photostream_component

fix/generated-files-checks

fix/locate-button-local

chore/base-image-mimalloc

refactor/timeline_assetlayout

refactor/timeline_selectable

refactor/timeline_aware_actions

refactor/timeline_monthsegment

feat/remove-old-pages

chore/deps-gradle

tmp_photostream

tmp/lcms

feat/mobile-dynamic-thumbnails

fix/mobile-finer-thumbnail-concurrency

refactor/timeline1

refactor/extract_photostream

refactor/rename_load_api

refactor/timeline2

refactor/timeline3

feat/multi-select-asset-viewer

feat-no-thumbhash-cache

refactor/asset_grid

feat/faster-access-checks

fix/18991

fix/19543

chore/temp-remove

fix/21419

feat/mobile-hdr-images

chore/update-mise-lockfile

feat/mise-server-checks

feat/mise-ci

feat/windows-2025

feat/dev_cli

refactor/mobile-migrate-clients

fix/map-theme

fix/require-checkbox

chore/use_swc

feat/efficient-thumbnail-decoding

refactor/mobile-thumbhash

refactor/mobile-thumbhash-new

fix/mobile-uncached-zoom

feat/beta-background-upload

fix/beta-timeline-memories-setting

fix/failed-uploads-not-removed

feat/mobile-shared-album

feat/groups

drift-map-page

drift-auth-user-sync

fix/disable-memory

feat/add-to-album-action

edit-date-time-action

drift-people-page

sqlite-remove-isIn

feat/inline-storage-columns

chore/required-reviewers

refact/asset-manager

fix/folder-sort

pnpm

feat/widget-multiple-server-urls

chore/medium-tests-dbname

fix/web-no-iterator-find

fix/map-pan-interruption

track-livephotos

timeline_events

chore/oxlint-migration

feat/maintenance-worker

feat/dav

chore/demo-snapshot

refactor/server-side-dedupe

feat/integrity-checks

dev/recognition-eval

lighter_buckets_test

perf/postgres-queue

postgres-queue

focus_rings

refactor/web-stores-1

refactor/add-to-taken

feat/sort-places

feat/sidecar-asset-file

vet

tmp/demo-snapshot-preview

fix/server-migration-file-extension

refactor/mobile-v2

fix/asset-update-race-condition

rknn-toolkit-lite2

refactor/mobile-split-up-search-page

feature/Add-rocm-support-for-machine-learning

feat/rocm

chore/async-hash-file

feat/shared-link-view-count

feat/rotation

feat/graphql

feat/job-ids

feat/ignore-library-permission-error

feat/docker-compose-builder

feat/kysely-typeorm

mobile/onboarding

no-video-player

fix/server-qsv-output-format

chore/server-geodata-tweaks

mobile/native-video-player-no-hero

feat/xxhash

fix/docs-concurrency

feat/preload-ml-textual-model

feat/local-tileserver

refactor/exif-orientation

original-path-infix

refactor/mobile/login-form-1

feat/server-editor-endpoints

fix/server-qsv-vbr

fix-mobile-db-problems

feat/ml-armnn-conversion

feat/mobile/backup-with-album-info

feat/fast-initial-sync-1

chore/handle-output_dims

feat/server-more-robust-generation

feat/unassign-faces

feat/shortcuts-on-asset-grid

feat/background-upload

feat/capacitor-mobile-app-poc

feat/server-nvenc-hw-decoding

release/v1.105

fix/mobile-fetch-non-archive

feat/fine-grained-access-controls

web/automation-ui

feat/mobile-server-endpoint-save-dropdown

feat/blurhash-thumbnail

object-storage

feat/memories-animations

dev/metrics

ml/tflite

feat/ml-export-cli

v2.5.3

v2.5.2

v2.5.1

v2.5.0

v2.4.1

v2.4.0

v2.3.1

v2.3.0

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.0

v2.0.1

v2.0.0

v1.144.1

v1.144.0

v1.143.1

v1.143.0

v1.142.1

v1.142.0

v1.141.1

v1.141.0

v1.140.1

v1.140.0

v1.139.4

v1.139.3

v1.139.2

v1.139.1

v1.139.0

v1.138.1

v1.138.0

v1.137.3

v1.137.2

v1.137.1

v1.137.0

v1.136.0

v1.135.3

v1.135.2

v1.135.1

v1.135.0

v1.134.0

v1.133.1

v1.133.0

v1.132.3

v1.132.2

v1.132.1

v1.132.0

v1.131.3

v1.131.2

v1.131.1

v1.131.0

v1.130.3

v1.130.2

v1.130.1

v1.130.0

v1.129.0

v1.128.0

v1.127.0

v1.126.1

v1.126.0

v1.125.7

v1.125.6

v1.125.5

v1.125.4

v1.125.3

v1.125.2

v1.125.1

v1.125.0

v1.124.2

v1.124.1

v1.124.0

v1.123.0

v1.122.3

v1.122.2

v1.122.1

v1.122.0

v1.121.0

v1.120.2

v1.120.1

v1.120.0

v1.119.1

v1.119.0

v1.118.2

v1.118.1

v1.118.0

v1.117.0

v1.116.2

v1.116.1

v1.116.0

v1.115.0

v1.114.0

v1.113.1

v1.113.0

v1.112.1

v1.112.0

v1.111.0

v1.110.0

v1.109.2

v1.109.1

v1.109.0

v1.108.0

v1.107.2

v1.107.1

v1.107.0

v1.106.4

v1.106.3

v1.106.2

v1.106.1

v1.106.0

v1.105.1

v1.105.0

v1.104.0

v1.103.1

v1.103.0

v1.102.3

v1.102.2

v1.102.1

v1.102.0

v1.101.0

v1.100.0

v1.99.0

v1.98.2

v1.98.1

v1.98.0

v1.97.0

v1.96.0

v1.95.1

v1.95.0

v1.94.1

v1.94.0

v1.93.3

v1.93.2

v1.93.1

v1.93.0

v1.92.1

v1.92.0

v1.91.4

v1.91.3

v1.91.2

v1.91.1

v1.91.0

v1.90.2

v1.90.1

v1.90.0

v1.89.0

v1.88.2

v1.88.1

v1.88.0

v1.87.0

v1.86.0

v1.85.0

v1.84.0

v1.83.0

v1.82.1

v1.82.0

v1.81.1

v1.81.0

v1.80.0

v1.79.1

v1.79.0

v1.78.1

v1.78.0

v1.77.0

v1.76.1

v1.76.0

v1.75.2

v1.75.1

v1.75.0

v1.74.0

v1.73.0

v1.72.2

v1.72.1

v1.72.0

v1.71.0

v1.70.0

v1.69.0

v1.68.0

v1.67.2

v1.67.1

v1.67.0

v1.66.1

v1.66.0

v1.65.0

v1.64.0

v1.63.2

v1.63.1

v1.63.0

v1.62.1

v1.62.0

v1.61.0

v1.60.0

v1.59.1

v1.59.0

v1.58.0

v1.57.1

v1.57.0

v1.56.2

v1.56.1

v1.56.0

v1.55.1

v1.55.0

v1.54.1

v1.54.0

v1.53.0

v1.52.1

v1.52.0

v1.51.2

v1.51.1

v1.51.0

v1.50.1

v1.50.0

v1.49.0

v1.48.1

v1.48.0

v1.47.3

v1.47.2

v1.47.1

v1.47.0

v1.46.1

v1.46.0

v1.45.0

v1.44.0

v1.43.1

v1.43.0

v1.42.0_65-dev

v1.41.1_64-dev

v1.41.0_64-dev

v1.40.1_63-dev

v1.40.0_63-dev

v1.39.0_61-dev

v1.38.2_60-dev

v1.38.1_60-dev

v1.38.0_60-dev

v1.37.0_58-dev

v1.36.2_56-dev

v1.36.1_55-dev

v1.36.0_55-dev

v1.35.0_54-dev

v1.34.0_53-dev

v1.33.1_52-dev

v1.33.0_52-dev

v1.32.1_51-dev

v1.32.0_50-dev

v1.31.1_49-dev

v1.31.0_49-dev

v1.30.2_48-dev

v1.30.0_46-dev

v1.29.6_45-dev

v1.29.6_44-dev

v1.29.5_44-dev

v1.29.4_44-dev

v1.29.3_43-dev

v1.29.2_43-dev

v1.29.1_43-dev

v1.29.0_42-dev

v1.28.4_41-dev

v1.28.4_42-dev

v1.28.3_41-dev

v1.28.2_40-dev

v1.28.1_39-dev

v1.28.0_38-dev

v1.27.0_37-dev

v1.26.0_36-dev

v1.25.0_35-dev

v1.24.0_34-dev

v1.23.0_33-dev

v1.22.0_32-dev

v1.21.1_31-dev

v1.21.0_31-dev

v1.20.3_30-dev

v1.20.2_30-dev

v1.20.1_30-dev

v1.20.0_30-dev

v1.19.1_29-dev

v1.19.0_29-dev

v1.18.0_27-dev

v1.17.0_25-dev

v1.16.0_23-dev

v1.15.1_21-dev

v1.15.0_21-dev

v1.14.0_21-dev

v1.13.0_20-dev

v1.12.0_18-dev

v1.11.0_17-dev

v1.10.0_15-dev

v1.9.1_14-dev

v1.9.0_13-dev

v1.8.0_12-dev

v1.7.0_11-dev

v1.6.0_10-dev

v1.5.1+9-dev

v1.5.0+8-dev

v1.4.0+7-dev

v1.4.0+6-dev

v1.4.0-dev

v1.3.0-dev

v1.3.1-dev

v0.6-dev

v0.5-dev

v0.4-dev

v0.3-dev

v0.2-dev

first-android-release

Labels

Clear labels

accessibility

changelog:enhancement

changelog:security

changelog:translation

cli

date-time

documentation

external-library

format

good first issue

needs-answer

nice to have

sharing

tech-debt

📱mobile

🖥️web

🗄️server

🧠machine-learning

No Label 📱mobile

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: immich-app/immich#1744