I
Immich13mo ago
CivBase

Server is not reachable, Android, Invalid SSL Certificate

I just setup Immich on my Ubuntu 20 server using docker compose. It is accessible through an nginx reverse proxy via https://immich.mydomain.com (not the actual domain). Immich and the database are hosted on my server, but UPLOAD_LOCATION points to an existing directory in a SMB network share (mounted via CIFS 3.0 in fstab). I can access Immich via the web interface, but when I try to connect via the Android app (https://immich.mydomain.com/api) it says "Server is not reachable". The logs say "Invalid SSL certificate for immich.mydomain.com:443". I had to update my TLS certficiate to add the immich.mydomain.com domain, but it started working in the browser after that. I can see the updated certificate in my browser with the new domain. Maybe Android is just caching the old certificate? 
2024-08-25 09:04:27.603957 | SEVERE   | ApiService           | Error while checking server availability | HandshakeException: Handshake error in client (OS Error: 
    CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:393)) |
#0      _SecureFilterImpl._handshake (dart:io-patch/secure_socket_patch.dart:99)
#1      _SecureFilterImpl.handshake (dart:io-patch/secure_socket_patch.dart:143)
#2      _RawSecureSocket._secureHandshake (dart:io/secure_socket.dart:920)
#3      _RawSecureSocket._tryFilter (dart:io/secure_socket.dart:1049)
<asynchronous suspension>

2024-08-25 09:04:27.603553 | SEVERE   | HttpSSLCertOverride  | Invalid SSL certificate for immich.mydomain.com:443 |
2024-08-25 09:04:27.603957 | SEVERE   | ApiService           | Error while checking server availability | HandshakeException: Handshake error in client (OS Error: 
    CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:393)) |
#0      _SecureFilterImpl._handshake (dart:io-patch/secure_socket_patch.dart:99)
#1      _SecureFilterImpl.handshake (dart:io-patch/secure_socket_patch.dart:143)
#2      _RawSecureSocket._secureHandshake (dart:io/secure_socket.dart:920)
#3      _RawSecureSocket._tryFilter (dart:io/secure_socket.dart:1049)
<asynchronous suspension>

2024-08-25 09:04:27.603553 | SEVERE   | HttpSSLCertOverride  | Invalid SSL certificate for immich.mydomain.com:443 |
curl also complains about the certificate. But I can at least get a response if I disable certificate validation. 
$ curl "https://immich.mydomain.com"
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
$ curl "https://immich.mydomain.com/api/server-info/ping" --insecure
{"res":"pong"}
$ curl "https://immich.mydomain.com"
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
$ curl "https://immich.mydomain.com/api/server-info/ping" --insecure
{"res":"pong"}
On top of that, the web interface gives an error when I try to upload any images and it does not display any of the pictures already in the UPLOAD_LOCATION directory. The upload error doesn't give me any information and I'm not sure where to find relevant logs. The UPLOAD_LOCATION directory has 777 permissions and is owned by the users group.
14 Replies
Immich
Immich13mo ago
:wave: Hey @CivBase, Thanks for reaching out to us. Please follow the recommended actions below; this will help us be more effective in our support effort and leave more time for building Immich :immich:. References - Container Logs: docker compose logs docs - Container Status: docker compose ps docs - Reverse Proxy: https://immich.app/docs/administration/reverse-proxy Checklist 1. :ballot_box_with_check: I have verified I'm on the latest release(note that mobile app releases may take some time). 2. :ballot_box_with_check: I have read applicable release notes. 3. :ballot_box_with_check: I have reviewed the FAQs for known issues. 4. :ballot_box_with_check: I have reviewed Github for known issues. 5. :ballot_box_with_check: I have tried accessing Immich via local ip (without a custom reverse proxy). 6. :ballot_box_with_check: I have uploaded the relevant logs, docker compose, and .env files, making sure to use code formatting. 7. :ballot_box_with_check: I have tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable (an item can be marked as "complete" by reacting with the appropriate number) If this ticket can be closed you can use the /close command, and re-open it later if needed.
CivBase
CivBaseOP13mo ago
$ docker compose ps
NAME                      IMAGE                                                                                                                  COMMAND                  SERVICE                   CREATED             STATUS                    PORTS
immich_machine_learning   ghcr.io/immich-app/immich-machine-learning:release                                                                     "tini -- ./start.sh"     immich-machine-learning   46 minutes ago      Up 46 minutes (healthy)   
immich_postgres           docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0   "docker-entrypoint.s…"   database                  46 minutes ago      Up 46 minutes (healthy)   5432/tcp
immich_redis              docker.io/redis:6.2-alpine@sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e                     "docker-entrypoint.s…"   redis                     46 minutes ago      Up 46 minutes (healthy)   6379/tcp
immich_server             ghcr.io/immich-app/immich-server:release                                                                               "tini -- /bin/bash s…"   immich-server             46 minutes ago      Up 46 minutes (healthy)   0.0.0.0:2283->3001/tcp, :::2283->3001/tcp
$ docker compose ps
NAME                      IMAGE                                                                                                                  COMMAND                  SERVICE                   CREATED             STATUS                    PORTS
immich_machine_learning   ghcr.io/immich-app/immich-machine-learning:release                                                                     "tini -- ./start.sh"     immich-machine-learning   46 minutes ago      Up 46 minutes (healthy)   
immich_postgres           docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0   "docker-entrypoint.s…"   database                  46 minutes ago      Up 46 minutes (healthy)   5432/tcp
immich_redis              docker.io/redis:6.2-alpine@sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e                     "docker-entrypoint.s…"   redis                     46 minutes ago      Up 46 minutes (healthy)   6379/tcp
immich_server             ghcr.io/immich-app/immich-server:release                                                                               "tini -- /bin/bash s…"   immich-server             46 minutes ago      Up 46 minutes (healthy)   0.0.0.0:2283->3001/tcp, :::2283->3001/tcp
$ docker logs immich_server
...
[Nest] 19  - 08/25/2024, 2:09:34 PM     LOG [Api:RouterExplorer] Mapped {/api/users/profile-image, DELETE} route
[Nest] 19  - 08/25/2024, 2:09:34 PM     LOG [Api:RouterExplorer] Mapped {/api/users/:id/profile-image, GET} route
[Nest] 19  - 08/25/2024, 2:09:34 PM     LOG [Api:NestApplication] Nest application successfully started
[Nest] 19  - 08/25/2024, 2:09:34 PM     LOG [Api:Bootstrap] Immich Server is listening on http://[::1]:3001 [v1.112.1] [PRODUCTION] 
[Nest] 19  - 08/25/2024, 2:09:40 PM     LOG [Api:EventRepository] Websocket Connect:    Z7FcQYcF2tWxxM-AAAAB
[Nest] 19  - 08/25/2024, 2:11:41 PM     LOG [Api:EventRepository] Websocket Disconnect: Z7FcQYcF2tWxxM-AAAAB
[Nest] 19  - 08/25/2024, 2:11:41 PM     LOG [Api:EventRepository] Websocket Connect:    Y5ppm_mY8wmQOxSBAAAD
[Nest] 19  - 08/25/2024, 2:15:10 PM     LOG [Api:EventRepository] Websocket Disconnect: Y5ppm_mY8wmQOxSBAAAD
[Nest] 19  - 08/25/2024, 2:15:15 PM     LOG [Api:EventRepository] Websocket Connect:    CSF5cxoOjGEyGitMAAAF
[Nest] 19  - 08/25/2024, 2:15:58 PM     LOG [Api:EventRepository] Websocket Disconnect: CSF5cxoOjGEyGitMAAAF
[Nest] 19  - 08/25/2024, 2:16:03 PM     LOG [Api:EventRepository] Websocket Connect:    8iATHTar0Ac9MFcdAAAH
[Nest] 19  - 08/25/2024, 2:24:36 PM     LOG [Api:EventRepository] Websocket Connect:    mFg7G0mTm996azBfAAAJ
[Nest] 19  - 08/25/2024, 2:27:31 PM     LOG [Api:EventRepository] Websocket Disconnect: mFg7G0mTm996azBfAAAJ
$ docker logs immich_server
...
[Nest] 19  - 08/25/2024, 2:09:34 PM     LOG [Api:RouterExplorer] Mapped {/api/users/profile-image, DELETE} route
[Nest] 19  - 08/25/2024, 2:09:34 PM     LOG [Api:RouterExplorer] Mapped {/api/users/:id/profile-image, GET} route
[Nest] 19  - 08/25/2024, 2:09:34 PM     LOG [Api:NestApplication] Nest application successfully started
[Nest] 19  - 08/25/2024, 2:09:34 PM     LOG [Api:Bootstrap] Immich Server is listening on http://[::1]:3001 [v1.112.1] [PRODUCTION] 
[Nest] 19  - 08/25/2024, 2:09:40 PM     LOG [Api:EventRepository] Websocket Connect:    Z7FcQYcF2tWxxM-AAAAB
[Nest] 19  - 08/25/2024, 2:11:41 PM     LOG [Api:EventRepository] Websocket Disconnect: Z7FcQYcF2tWxxM-AAAAB
[Nest] 19  - 08/25/2024, 2:11:41 PM     LOG [Api:EventRepository] Websocket Connect:    Y5ppm_mY8wmQOxSBAAAD
[Nest] 19  - 08/25/2024, 2:15:10 PM     LOG [Api:EventRepository] Websocket Disconnect: Y5ppm_mY8wmQOxSBAAAD
[Nest] 19  - 08/25/2024, 2:15:15 PM     LOG [Api:EventRepository] Websocket Connect:    CSF5cxoOjGEyGitMAAAF
[Nest] 19  - 08/25/2024, 2:15:58 PM     LOG [Api:EventRepository] Websocket Disconnect: CSF5cxoOjGEyGitMAAAF
[Nest] 19  - 08/25/2024, 2:16:03 PM     LOG [Api:EventRepository] Websocket Connect:    8iATHTar0Ac9MFcdAAAH
[Nest] 19  - 08/25/2024, 2:24:36 PM     LOG [Api:EventRepository] Websocket Connect:    mFg7G0mTm996azBfAAAJ
[Nest] 19  - 08/25/2024, 2:27:31 PM     LOG [Api:EventRepository] Websocket Disconnect: mFg7G0mTm996azBfAAAJ
$ docker logs immich_postgres

PostgreSQL Database directory appears to contain a database; Skipping initialization

2024-08-25 14:09:27.529 UTC [1] LOG:  redirecting log output to logging collector process
2024-08-25 14:09:27.529 UTC [1] HINT:  Future log output will appear in directory "log".
$ docker logs immich_postgres

PostgreSQL Database directory appears to contain a database; Skipping initialization

2024-08-25 14:09:27.529 UTC [1] LOG:  redirecting log output to logging collector process
2024-08-25 14:09:27.529 UTC [1] HINT:  Future log output will appear in directory "log".
Zeus
Zeus13mo ago
Your curl command makes it pretty clear that your proxy is serving an invalid or untrusted certificate This wouldn’t be an Immich related issue Where is your cert from?
CivBase
CivBaseOP13mo ago
It's from letsencrypt I just renewed the certificate this morning. It should be valid until 23 Nov 2024. Firefox accepts it without problems.
CivBase
CivBaseOP13mo ago
No description
Immich
Immich13mo ago
Successfully submitted, a tag has been added to inform contributors. :white_check_mark:
Alex Tran
Alex Tran13mo ago
Can you take a screenshot of the advanced page in the app setting?
Zeus
Zeus13mo ago
If curl doesn’t accept it, something is clearly broken in that case Maybe you can share the domain here and we can test it
CivBase
CivBaseOP13mo ago
I actually just fixed the upload issue by re-doing the nginx config. But the SSL issue is still a thing I just went to take that screenshot and found the "Allow self-signed SSL certificates" option. I enabled that and now the Android app can connect
Zeus
Zeus13mo ago
That shouldn’t be necessary though, your reverse proxy or network setup is broken If you have a real cert
CivBase
CivBaseOP13mo ago
That's weird, yeah I'll have to look into that. But like you said earlier, that's not an Immich issue Thanks for the help!
Zeus
Zeus13mo ago
No prob. Note that video playback won’t work with a self signed cert
Immich
Immich13mo ago
This thread has been closed. To re-open, use the button below.
MK30010
MK300102mo ago
In case someone comes across this in the future: I had the exact same issue, and it was because I was using cert.pem as my ssl_certificate in nginx instead of fullchain.pem. Immich (and curl) need the intermediate certificate in the fullchain.pem, but most web browsers seem to already know the Let's Encrypt intermediate CA and so don't show the issue

Did you find this page helpful?