I
Immich5mo ago
RhubarbBread

Mobile photo downloads fail through nginx HTTPS

Hello! I am having trouble getting file downloads to work on mobile (both Android and iOS) when I am connected to my Immich server through an HTTPS connection. If I switch to HTTP (i.e. change the listening port to 80 and comment out the ssl lines), downloads work as expected. HTTPS downloads work as expected in a web browser. I think this is a client-side issue because I don't see any web requests in the nginx access logs when I tap the download button. However, I am struggling to find any errors in the client logs, only a pop up message saying "download failed". The TLS certificate is a wildcard cert signed by my own internal CA which I also use on about a dozen other self-hosted services without issue. The internal CA is trusted by my devices, but I still had to enable the "Allow self-signed SSL certificates" within the app to get it to connect. Clients: Google Pixel 7a Android 14 Immich 1.123.0 build.172 Apple iPhone 13 mini iOS 18.1 Immich 1.123.0 build.186 Server: Ubuntu 24.04.1 Immich v1.123.0 installed via Docker Compose nginx/1.24.0 (Ubuntu) nginx site config: 
upstream primary {
    server localhost:2283;
}

server {
    listen 443;
    server_name photos.example.com;

    ssl on;
    ssl_certificate /etc/ssl/star_example_com_chain.crt;
    ssl_certificate_key /etc/ssl/private/star_example_com.key;

    client_max_body_size 50000M;

    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect     off;

    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://primary;
    }
}
upstream primary {
    server localhost:2283;
}

server {
    listen 443;
    server_name photos.example.com;

    ssl on;
    ssl_certificate /etc/ssl/star_example_com_chain.crt;
    ssl_certificate_key /etc/ssl/private/star_example_com.key;

    client_max_body_size 50000M;

    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect     off;

    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://primary;
    }
}
10 Replies
Immich
Immich5mo ago
:wave: Hey @RhubarbBread, Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:. References - Container Logs: docker compose logs docs - Container Status: docker ps -a docs - Reverse Proxy: https://immich.app/docs/administration/reverse-proxy - Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA Checklist I have... 1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time). 2. :ballot_box_with_check: read applicable release notes. 3. :ballot_box_with_check: reviewed the FAQs for known issues. 4. :ballot_box_with_check: reviewed Github for known issues. 5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy). 6. :ballot_box_with_check: uploaded the relevant information (see below). 7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable (an item can be marked as "complete" by reacting with the appropriate number) Information In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider: - Your docker-compose.yml and .env files. - Logs from all the containers and their status (see above). - All the troubleshooting steps you've tried so far. - Any recent changes you've made to Immich or your system. - Details about your system (both software/OS and hardware). - Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h). - The version of the Immich server, mobile app, and other relevant pieces. - Any other information that you think might be relevant. Please paste files and logs with proper code formatting, and especially avoid blurry screenshots. Without the right information we can't work out what the problem is. Help us help you ;) If this ticket can be closed you can use the /close command, and re-open it later if needed.
Zeus
Zeus5mo ago
This is due to the self signed cert Already reported bug, however no ETA on if/when it would be repaired. Self signed SSL and mTLS is not a high priority for us I do recommend getting a real cert, it will be a lot better experience with other apps as well
RhubarbBread
RhubarbBreadOP5mo ago
I am not surprised to hear that. You said this is already reported? Is there a GitHub issue I can reference?
Zeus
Zeus5mo ago
I don’t know the number but it was recent
RhubarbBread
RhubarbBreadOP5mo ago
Zeus
Zeus5mo ago
Yep, that’s another known limitation. This one was relating to download
RhubarbBread
RhubarbBreadOP5mo ago
Well, I'll follow the GitHub issue for now. I can't use LetsEncrypt or a public CA right now because my internal domain is not publicly registerable (.lan). Thanks for confirming that it is related to the PKI infrastructure.
Zeus
Zeus5mo ago
Sure. You can buy a real domain for .99/year FYI
RhubarbBread
RhubarbBreadOP5mo ago
Yes, and I do have some
Immich
Immich5mo ago
This thread has been closed. To re-open, use the button below.

Did you find this page helpful?