immich-app/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2026-02-05 00:30:57 +03:00
Code Issues 18 Packages Projects Releases 10 Wiki Activity

[BUG] TLS/SSL communication failed: POST /oauth/config #924

New Issue
Closed
opened 2026-02-04 23:34:46 +03:00 by OVERLORD · 8 comments
OVERLORD commented 2026-02-04 23:34:46 +03:00
Owner
Copy Link

Originally created by @r01k on GitHub (Jun 10, 2023).

The bug

Attempting to connect to the server endpoint (https://immich-server.ddns.net:28376/api) fails with "TLS/SSL communication failed: POST /oauth/config"
Screenshot

This is a brand new docker setup on Ubuntu Server. Nginx is acting as reverse proxy on the same machine to support HTTPS with a publicly trusted certificate. The problem only occurs from the Android app on the three devices tested. On iOS the app does connect taking to the login page. The Immich webpage is trusted by the browsers in all devices and logging in works.

Nginx debug log records an SSL handshake failure:
2023/06/09 17:04:50 [debug] 4811#4811: *2 SSL_do_handshake: -1
2023/06/09 17:04:50 [debug] 4811#4811: *2 SSL_get_error: 6
2023/06/09 17:04:50 [info] 4811#4811: *2 peer closed connection in SSL handshake while SSL handshaking, client: 192.168.1.115, server: 0.0.0.0:28376
2023/06/09 17:04:50 [debug] 4811#4811: *2 close http connection: 20

The Immich app log is empty.

If the app is pointed to the HTTP endpoint the error does not occur, even if going through the reverse proxy (after disabling HTTPS).

The OS that Immich Server is running on

Ubuntu 22.04.2

Version of Immich Server

1.60.0

Version of Immich Mobile App

1.60.0

Platform with the issue

  • Server
  • Web
  • Mobile

Your docker-compose.yml content

version: "3.8"

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    command: ["start-server.sh"]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - .env
    depends_on:
      - redis
      - database
      - typesense
    restart: always

  immich-microservices:
    container_name: immich_microservices
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    command: ["start-microservices.sh"]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - .env
    depends_on:
      - redis
      - database
      - typesense
    restart: always

  immich-machine-learning:
    container_name: immich_machine_learning
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - model-cache:/cache
    env_file:
      - .env
    restart: always

  immich-web:
    container_name: immich_web
    image: ghcr.io/immich-app/immich-web:${IMMICH_VERSION:-release}
    env_file:
      - .env
    restart: always

  typesense:
    container_name: immich_typesense
    image: typesense/typesense:0.24.0
    environment:
      - TYPESENSE_API_KEY=${TYPESENSE_API_KEY}
      - TYPESENSE_DATA_DIR=/data
    logging:
      driver: none
    volumes:
      - tsdata:/data
    restart: always

  redis:
    container_name: immich_redis
    image: redis:6.2
    restart: always

  database:
    container_name: immich_postgres
    image: postgres:14
    env_file:
      - .env
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      PG_DATA: /var/lib/postgresql/data
    volumes:
      - pgdata:/var/lib/postgresql/data
    restart: always

  immich-proxy:
    container_name: immich_proxy
    image: ghcr.io/immich-app/immich-proxy:${IMMICH_VERSION:-release}
    environment:
      # Make sure these values get passed through from the env file
      - IMMICH_SERVER_URL
      - IMMICH_WEB_URL
    ports:
      - 2283:8080
    depends_on:
      - immich-server
    restart: always

volumes:
  pgdata:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /database
  model-cache:
  tsdata:

Your .env content

###################################################################################
# Database
###################################################################################

# NOTE: The following four database variables support Docker secrets by adding a *_FILE suffix to the variable name
# See the docker-compose documentation on secrets for additional details: https://docs.docker.com/compose/compose-file/compose-file-v3/#secrets
DB_HOSTNAME=immich_postgres
DB_USERNAME=immich
DB_PASSWORD=<elided>
DB_DATABASE_NAME=immich

# Optional Database settings:
# DB_PORT=5432

###################################################################################
# Redis
###################################################################################

REDIS_HOSTNAME=immich_redis

# REDIS_URL will be used to pass custom options to ioredis.
# Example for Sentinel
# {"sentinels":[{"host":"redis-sentinel-node-0","port":26379},{"host":"redis-sentinel-node-1","port":26379},{"host":"redis-sentinel-node-2","port":26379}],"name":"redis-sentinel"}
# REDIS_URL=ioredis://eyJzZW50aW5lbHMiOlt7Imhvc3QiOiJyZWRpcy1zZW50aW5lbDEiLCJwb3J0IjoyNjM3OX0seyJob3N0IjoicmVkaXMtc2VudGluZWwyIiwicG9ydCI6MjYzNzl9XSwibmFtZSI6Im15bWFzdGVyIn0=

# Optional Redis settings:

# Note: these parameters are not automatically passed to the Redis Container
# to do so, please edit the docker-compose.yml file as well. Redis is not configured
# via environment variables, only redis.conf or the command line

# REDIS_PORT=6379
# REDIS_DBINDEX=0
# REDIS_USERNAME=
# REDIS_PASSWORD=
# REDIS_SOCKET=

###################################################################################
# Upload File Location
#
# This is the location where uploaded files are stored.
###################################################################################

UPLOAD_LOCATION=/mnt/upload


###################################################################################
# Typesense
###################################################################################
TYPESENSE_API_KEY=<elided>
# TYPESENSE_ENABLED=false
# TYPESENSE_URL uses base64 encoding for the nodes json.
# Example JSON that was used:
# [
#      { 'host': 'typesense-1.example.net', 'port': '443', 'protocol': 'https' },
#      { 'host': 'typesense-2.example.net', 'port': '443', 'protocol': 'https' },
#      { 'host': 'typesense-3.example.net', 'port': '443', 'protocol': 'https' },
#  ]
# TYPESENSE_URL=ha://WwogICAgeyAnaG9zdCc6ICd0eXBlc2Vuc2UtMS5leGFtcGxlLm5ldCcsICdwb3J0JzogJzQ0MycsICdwcm90b2NvbCc6ICdodHRwcycgfSwKICAgIHsgJ2hvc3QnOiAndHlwZXNlbnNlLTIuZXhhbXBsZS5uZXQnLCAncG9ydCc6ICc0NDMnLCAncHJvdG9jb2wnOiAnaHR0cHMnIH0sCiAgICB7ICdob3N0JzogJ3R5cGVzZW5zZS0zLmV4YW1wbGUubmV0JywgJ3BvcnQnOiAnNDQzJywgJ3Byb3RvY29sJzogJ2h0dHBzJyB9LApd

###################################################################################
# Reverse Geocoding
#
# Reverse geocoding is done locally which has a small impact on memory usage
# This memory usage can be altered by changing the REVERSE_GEOCODING_PRECISION variable
# This ranges from 0-3 with 3 being the most precise
# 3 - Cities > 500 population: ~200MB RAM
# 2 - Cities > 1000 population: ~150MB RAM
# 1 - Cities > 5000 population: ~80MB RAM
# 0 - Cities > 15000 population: ~40MB RAM
####################################################################################

# DISABLE_REVERSE_GEOCODING=false
# REVERSE_GEOCODING_PRECISION=3

####################################################################################
# WEB - Optional
#
# Custom message on the login page, should be written in HTML form.
# For example:
# PUBLIC_LOGIN_PAGE_MESSAGE="This is a demo instance of Immich.<br><br>Email: <i>demo@demo.de</i><br>Password: <i>demo</i>"
####################################################################################

PUBLIC_LOGIN_PAGE_MESSAGE=

####################################################################################
# Alternative Service Addresses - Optional
#
# This is an advanced feature for users who may be running their immich services on different hosts.
# It will not change which address or port that services bind to within their containers, but it will change where other services look for their peers.
# Note: immich-microservices is bound to 3002, but no references are made
####################################################################################

IMMICH_WEB_URL=http://immich-web:3000
IMMICH_SERVER_URL=http://immich-server:3001
IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003

####################################################################################
# Alternative API's External Address - Optional
#
# This is an advanced feature used to control the public server endpoint returned to clients during Well-known discovery.
# You should only use this if you want mobile apps to access the immich API over a custom URL. Do not include trailing slash.
# NOTE: At this time, the web app will not be affected by this setting and will continue to use the relative path: /api
# Examples: http://localhost:3001, http://immich-api.example.com, etc
####################################################################################

#IMMICH_API_URL_EXTERNAL=http://localhost:3001

###################################################################################
# Immich Version - Optional
#
# This allows all immich docker images to be pinned to a specific version. By default, 
# the version is "release" but could be a specific version, like "v1.59.0".
###################################################################################

#IMMICH_VERSION=

Reproduction steps

1. Configure nginx with a publicly trusted certificate to listen over HTTPS as reverse proxy for the Immich server.
2. Attempt to access the nginx endpoint over HTTPS from the Immich Android app: https://immich-server.ddns.net:28376/api. Tap Next.
3. A pop up shows: "TLS/SSL communication failed: POST /oauth/config" and the app stays on the same screen.

Additional information

nginx config file:

server {

listen 28376  ssl;
server_name immich-server.ddns.net;

# SSL Configuration
ssl_certificate /etc/ssl/immich/server_cert.pem;
ssl_certificate_key /etc/ssl/immich/server_key.pem;
ssl_session_cache  builtin:1000  shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

# Set the access log location
access_log            /var/log/nginx/immich_access.log;
error_log            /var/log/nginx/immich_error.log  debug;

location / {

  # Set the proxy headers
  proxy_set_header        Host $host;
  proxy_set_header        X-Real-IP $remote_addr;
  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header        X-Forwarded-Proto $scheme;

  # Configure which address the request is proxied to
  proxy_pass          http://localhost:2283;
  proxy_read_timeout  90;

  # Security headers
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header Referrer-Policy "origin";
}

}

Originally created by @r01k on GitHub (Jun 10, 2023). ### The bug Attempting to connect to the server endpoint (https://immich-server.ddns.net:28376/api) fails with "TLS/SSL communication failed: POST /oauth/config" ![Screenshot](https://github.com/immich-app/immich/assets/19595786/2f774f13-413d-4831-a700-cff57f6d2bfa) This is a brand new docker setup on Ubuntu Server. Nginx is acting as reverse proxy on the same machine to support HTTPS with a publicly trusted certificate. The problem only occurs from the Android app on the three devices tested. On iOS the app does connect taking to the login page. The Immich webpage is trusted by the browsers in all devices and logging in works. Nginx debug log records an SSL handshake failure: 2023/06/09 17:04:50 [debug] 4811#4811: *2 SSL_do_handshake: -1 2023/06/09 17:04:50 [debug] 4811#4811: *2 SSL_get_error: 6 2023/06/09 17:04:50 [info] 4811#4811: *2 peer closed connection in SSL handshake while SSL handshaking, client: 192.168.1.115, server: 0.0.0.0:28376 2023/06/09 17:04:50 [debug] 4811#4811: *2 close http connection: 20 The Immich app log is empty. If the app is pointed to the HTTP endpoint the error does not occur, even if going through the reverse proxy (after disabling HTTPS). ### The OS that Immich Server is running on Ubuntu 22.04.2 ### Version of Immich Server 1.60.0 ### Version of Immich Mobile App 1.60.0 ### Platform with the issue - [ ] Server - [ ] Web - [X] Mobile ### Your docker-compose.yml content ```YAML version: "3.8" services: immich-server: container_name: immich_server image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} command: ["start-server.sh"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: - .env depends_on: - redis - database - typesense restart: always immich-microservices: container_name: immich_microservices image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} command: ["start-microservices.sh"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: - .env depends_on: - redis - database - typesense restart: always immich-machine-learning: container_name: immich_machine_learning image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release} volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload - model-cache:/cache env_file: - .env restart: always immich-web: container_name: immich_web image: ghcr.io/immich-app/immich-web:${IMMICH_VERSION:-release} env_file: - .env restart: always typesense: container_name: immich_typesense image: typesense/typesense:0.24.0 environment: - TYPESENSE_API_KEY=${TYPESENSE_API_KEY} - TYPESENSE_DATA_DIR=/data logging: driver: none volumes: - tsdata:/data restart: always redis: container_name: immich_redis image: redis:6.2 restart: always database: container_name: immich_postgres image: postgres:14 env_file: - .env environment: POSTGRES_PASSWORD: ${DB_PASSWORD} POSTGRES_USER: ${DB_USERNAME} POSTGRES_DB: ${DB_DATABASE_NAME} PG_DATA: /var/lib/postgresql/data volumes: - pgdata:/var/lib/postgresql/data restart: always immich-proxy: container_name: immich_proxy image: ghcr.io/immich-app/immich-proxy:${IMMICH_VERSION:-release} environment: # Make sure these values get passed through from the env file - IMMICH_SERVER_URL - IMMICH_WEB_URL ports: - 2283:8080 depends_on: - immich-server restart: always volumes: pgdata: driver: local driver_opts: type: none o: bind device: /database model-cache: tsdata: ``` ### Your .env content ```Shell ################################################################################### # Database ################################################################################### # NOTE: The following four database variables support Docker secrets by adding a *_FILE suffix to the variable name # See the docker-compose documentation on secrets for additional details: https://docs.docker.com/compose/compose-file/compose-file-v3/#secrets DB_HOSTNAME=immich_postgres DB_USERNAME=immich DB_PASSWORD=<elided> DB_DATABASE_NAME=immich # Optional Database settings: # DB_PORT=5432 ################################################################################### # Redis ################################################################################### REDIS_HOSTNAME=immich_redis # REDIS_URL will be used to pass custom options to ioredis. # Example for Sentinel # {"sentinels":[{"host":"redis-sentinel-node-0","port":26379},{"host":"redis-sentinel-node-1","port":26379},{"host":"redis-sentinel-node-2","port":26379}],"name":"redis-sentinel"} # REDIS_URL=ioredis://eyJzZW50aW5lbHMiOlt7Imhvc3QiOiJyZWRpcy1zZW50aW5lbDEiLCJwb3J0IjoyNjM3OX0seyJob3N0IjoicmVkaXMtc2VudGluZWwyIiwicG9ydCI6MjYzNzl9XSwibmFtZSI6Im15bWFzdGVyIn0= # Optional Redis settings: # Note: these parameters are not automatically passed to the Redis Container # to do so, please edit the docker-compose.yml file as well. Redis is not configured # via environment variables, only redis.conf or the command line # REDIS_PORT=6379 # REDIS_DBINDEX=0 # REDIS_USERNAME= # REDIS_PASSWORD= # REDIS_SOCKET= ################################################################################### # Upload File Location # # This is the location where uploaded files are stored. ################################################################################### UPLOAD_LOCATION=/mnt/upload ################################################################################### # Typesense ################################################################################### TYPESENSE_API_KEY=<elided> # TYPESENSE_ENABLED=false # TYPESENSE_URL uses base64 encoding for the nodes json. # Example JSON that was used: # [ # { 'host': 'typesense-1.example.net', 'port': '443', 'protocol': 'https' }, # { 'host': 'typesense-2.example.net', 'port': '443', 'protocol': 'https' }, # { 'host': 'typesense-3.example.net', 'port': '443', 'protocol': 'https' }, # ] # TYPESENSE_URL=ha://WwogICAgeyAnaG9zdCc6ICd0eXBlc2Vuc2UtMS5leGFtcGxlLm5ldCcsICdwb3J0JzogJzQ0MycsICdwcm90b2NvbCc6ICdodHRwcycgfSwKICAgIHsgJ2hvc3QnOiAndHlwZXNlbnNlLTIuZXhhbXBsZS5uZXQnLCAncG9ydCc6ICc0NDMnLCAncHJvdG9jb2wnOiAnaHR0cHMnIH0sCiAgICB7ICdob3N0JzogJ3R5cGVzZW5zZS0zLmV4YW1wbGUubmV0JywgJ3BvcnQnOiAnNDQzJywgJ3Byb3RvY29sJzogJ2h0dHBzJyB9LApd ################################################################################### # Reverse Geocoding # # Reverse geocoding is done locally which has a small impact on memory usage # This memory usage can be altered by changing the REVERSE_GEOCODING_PRECISION variable # This ranges from 0-3 with 3 being the most precise # 3 - Cities > 500 population: ~200MB RAM # 2 - Cities > 1000 population: ~150MB RAM # 1 - Cities > 5000 population: ~80MB RAM # 0 - Cities > 15000 population: ~40MB RAM #################################################################################### # DISABLE_REVERSE_GEOCODING=false # REVERSE_GEOCODING_PRECISION=3 #################################################################################### # WEB - Optional # # Custom message on the login page, should be written in HTML form. # For example: # PUBLIC_LOGIN_PAGE_MESSAGE="This is a demo instance of Immich.<br><br>Email: <i>demo@demo.de</i><br>Password: <i>demo</i>" #################################################################################### PUBLIC_LOGIN_PAGE_MESSAGE= #################################################################################### # Alternative Service Addresses - Optional # # This is an advanced feature for users who may be running their immich services on different hosts. # It will not change which address or port that services bind to within their containers, but it will change where other services look for their peers. # Note: immich-microservices is bound to 3002, but no references are made #################################################################################### IMMICH_WEB_URL=http://immich-web:3000 IMMICH_SERVER_URL=http://immich-server:3001 IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003 #################################################################################### # Alternative API's External Address - Optional # # This is an advanced feature used to control the public server endpoint returned to clients during Well-known discovery. # You should only use this if you want mobile apps to access the immich API over a custom URL. Do not include trailing slash. # NOTE: At this time, the web app will not be affected by this setting and will continue to use the relative path: /api # Examples: http://localhost:3001, http://immich-api.example.com, etc #################################################################################### #IMMICH_API_URL_EXTERNAL=http://localhost:3001 ################################################################################### # Immich Version - Optional # # This allows all immich docker images to be pinned to a specific version. By default, # the version is "release" but could be a specific version, like "v1.59.0". ################################################################################### #IMMICH_VERSION= ``` ### Reproduction steps ```bash 1. Configure nginx with a publicly trusted certificate to listen over HTTPS as reverse proxy for the Immich server. 2. Attempt to access the nginx endpoint over HTTPS from the Immich Android app: https://immich-server.ddns.net:28376/api. Tap Next. 3. A pop up shows: "TLS/SSL communication failed: POST /oauth/config" and the app stays on the same screen. ``` ### Additional information nginx config file: server { listen 28376 ssl; server_name immich-server.ddns.net; # SSL Configuration ssl_certificate /etc/ssl/immich/server_cert.pem; ssl_certificate_key /etc/ssl/immich/server_key.pem; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; # Set the access log location access_log /var/log/nginx/immich_access.log; error_log /var/log/nginx/immich_error.log debug; location / { # Set the proxy headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Configure which address the request is proxied to proxy_pass http://localhost:2283; proxy_read_timeout 90; # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "origin"; } }
OVERLORD commented 2026-02-04 23:34:50 +03:00
Author
Owner
Copy Link

@alextran1502 commented on GitHub (Jun 10, 2023):

Have you tried using port 443 instead of 28376?

@alextran1502 commented on GitHub (Jun 10, 2023): Have you tried using port 443 instead of 28376?
OVERLORD commented 2026-02-04 23:34:54 +03:00
Author
Owner
Copy Link

@alextran1502 commented on GitHub (Jun 10, 2023):

I don't think this is an Immich bug but an NGINX configuration issue on your setup. Do you mind going to Discord and posting in the help-desk forum so people with expertise in NGINX can help you out?

@alextran1502 commented on GitHub (Jun 10, 2023): I don't think this is an Immich bug but an NGINX configuration issue on your setup. Do you mind going to Discord and posting in the help-desk forum so people with expertise in NGINX can help you out?
OVERLORD commented 2026-02-04 23:34:58 +03:00
Author
Owner
Copy Link

@r01k commented on GitHub (Jun 10, 2023):

Have you tried using port 443 instead of 28376?

I just did it but the problem persists the same.

I'd think that it is solely caused by my nginx config, but wonder then why it only affects the Android app specifically.
I'll post on Discord too.

@r01k commented on GitHub (Jun 10, 2023): > Have you tried using port 443 instead of 28376? I just did it but the problem persists the same. I'd think that it is solely caused by my nginx config, but wonder then why it only affects the Android app specifically. I'll post on Discord too.
OVERLORD commented 2026-02-04 23:35:02 +03:00
Author
Owner
Copy Link

@r01k commented on GitHub (Jun 10, 2023):

Fixed!

It was my certificate chain missing an intermediate certificate, which in theory is not needed (or so I thought) because it has transitive trust from the root certificate. But some strict SSL libraries do require it. I got a big hint towards the solution by trying the Immich web app from Brave on iOS, which didn't trust the certificate.

Full dialog on Discord.

@r01k commented on GitHub (Jun 10, 2023): Fixed! It was my certificate chain missing an intermediate certificate, which in theory is not needed (or so I thought) because it has transitive trust from the root certificate. But some strict SSL libraries do require it. I got a big hint towards the solution by trying the Immich web app from Brave on iOS, which didn't trust the certificate. Full dialog on [Discord](https://discord.com/channels/979116623879368755/1116931393532985364).
OVERLORD commented 2026-02-04 23:35:06 +03:00
Author
Owner
Copy Link

@ioogithub commented on GitHub (Jul 23, 2023):

Fixed!

It was my certificate chain missing an intermediate certificate, which in theory is not needed (or so I thought) because it has transitive trust from the root certificate. But some strict SSL libraries do require it. I got a big hint towards the solution by trying the Immich web app from Brave on iOS, which didn't trust the certificate.

Full dialog on Discord.

Hi @r01k could you please let me know what type of certificate immich requires? I have been struggling for a few days. The webpage works in browsers on android and linux but no matter what I try I get TSL/SSL communication failed: POST /oath/config from the app.

I have a self signed certificate, I created a chain and a full chain with an intermediate but the app will not recognize it. I think I have the exact same problem you have, how did you fix it?

@ioogithub commented on GitHub (Jul 23, 2023): > Fixed! > > It was my certificate chain missing an intermediate certificate, which in theory is not needed (or so I thought) because it has transitive trust from the root certificate. But some strict SSL libraries do require it. I got a big hint towards the solution by trying the Immich web app from Brave on iOS, which didn't trust the certificate. > > Full dialog on [Discord](https://discord.com/channels/979116623879368755/1116931393532985364). Hi @r01k could you please let me know what type of certificate immich requires? I have been struggling for a few days. The webpage works in browsers on android and linux but no matter what I try I get TSL/SSL communication failed: POST /oath/config from the app. I have a self signed certificate, I created a chain and a full chain with an intermediate but the app will not recognize it. I think I have the exact same problem you have, how did you fix it?
OVERLORD commented 2026-02-04 23:35:11 +03:00
Author
Owner
Copy Link

@r01k commented on GitHub (Jul 24, 2023):

My problem was that the PEM file was missing an intermediate certificate. My chain needed 4 certificates in total. Try fully verifying your chain with openssl or certutil.

@r01k commented on GitHub (Jul 24, 2023): My problem was that the PEM file was missing an intermediate certificate. My chain needed 4 certificates in total. Try fully verifying your chain with openssl or certutil.
OVERLORD commented 2026-02-04 23:35:15 +03:00
Author
Owner
Copy Link

@ioogithub commented on GitHub (Jul 24, 2023):

My problem was that the PEM file was missing an intermediate certificate. My chain needed 4 certificates in total. Try fully verifying your chain with openssl or certutil.

Thanks for answering! Just to clarify, were you ever able to get it working with a self signed cert? I read the discord log you posted but I wasn't able to tell.

I created my cert with the popular https://github.com/FiloSottile/mkcert util which I have seen other android app devs recommend. I can cat the certs to create a chain or full chain following @emahuni's method: https://github.com/FiloSottile/mkcert/issues/214. I tried:

  • chain= cert+root
  • fullchain= cert+cert+root which means the 2nd cert should be the intermediate but it made no difference. I can try 4 as you recommended: cert+cert+cert+root but I would be surprised if it worked.

If I verify with this: openssl verify -CAfile rootCA.pem domain.fullchain.pem it validates. Is there a better command to validate the chain?

I run a dozen self hosted android apps on this server with this cert and they all work but like @d-sko mentioned here: https://github.com/immich-app/immich/issues/765, im about ready to give up on immich. Nothing is working and there is no log to troubleshoot or debug.

@ioogithub commented on GitHub (Jul 24, 2023): > My problem was that the PEM file was missing an intermediate certificate. My chain needed 4 certificates in total. Try fully verifying your chain with openssl or certutil. Thanks for answering! Just to clarify, were you ever able to get it working with a self signed cert? I read the discord log you posted but I wasn't able to tell. I created my cert with the popular https://github.com/FiloSottile/mkcert util which I have seen other android app devs recommend. I can cat the certs to create a chain or full chain following @emahuni's method: https://github.com/FiloSottile/mkcert/issues/214. I tried: - chain= `cert+root` - fullchain= `cert+cert+root` which means the 2nd cert should be the intermediate but it made no difference. I can try 4 as you recommended: `cert+cert+cert+root` but I would be surprised if it worked. If I verify with this: `openssl verify -CAfile rootCA.pem domain.fullchain.pem` it validates. Is there a better command to validate the chain? I run a dozen self hosted android apps on this server with this cert and they all work but like @d-sko mentioned here: https://github.com/immich-app/immich/issues/765, im about ready to give up on immich. Nothing is working and there is no log to troubleshoot or debug.
OVERLORD commented 2026-02-04 23:35:17 +03:00
Author
Owner
Copy Link

@r01k commented on GitHub (Jul 25, 2023):

Sure, np. Initially I tried to make it work with a cert signed by my own root private CA (no intermediate CA) but switched to a one signed by a public CA when encountered the error, thinking that perhaps the Immich app won't trust user CAs. A couple of ideas:

  • If you point openssl to the single chain file containing all intermediate certs, does it validate?
  • If available, can you see if the Brave Browser on iOS trusts the cert on the Immich webpage?
@r01k commented on GitHub (Jul 25, 2023): Sure, np. Initially I tried to make it work with a cert signed by my own root private CA (no intermediate CA) but switched to a one signed by a public CA when encountered the error, thinking that perhaps the Immich app won't trust user CAs. A couple of ideas: - If you point openssl to the single chain file containing all intermediate certs, does it validate? - If available, can you see if the Brave Browser on iOS trusts the cert on the Immich webpage?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
accessibility
changelog:enhancement
changelog:security
changelog:translation
cli
date-time
documentation
external-library
format
good first issue
needs-answer
nice to have
sharing
tech-debt
📱mobile
🖥️web
🗄️server
🧠machine-learning
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: immich-app/immich#924
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?