I
Immichā€¢5w ago
HZH

šŸ„²Please help me check this problem

33 Replies
Immich
Immichā€¢5w ago
:wave: Hey @HZH, Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:. References - Container Logs: docker compose logs docs - Container Status: docker ps -a docs - Reverse Proxy: https://immich.app/docs/administration/reverse-proxy - Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA Checklist I have... 1. :blue_square: verified I'm on the latest release(note that mobile app releases may take some time). 2. :blue_square: read applicable release notes. 3. :blue_square: reviewed the FAQs for known issues. 4. :blue_square: reviewed Github for known issues. 5. :blue_square: tried accessing Immich via local ip (without a custom reverse proxy). 6. :blue_square: uploaded the relevant information (see below). 7. :blue_square: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable (an item can be marked as "complete" by reacting with the appropriate number) Information In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider: - Your docker-compose.yml and .env files. - Logs from all the containers and their status (see above). - All the troubleshooting steps you've tried so far. - Any recent changes you've made to Immich or your system. - Details about your system (both software/OS and hardware). - Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h). - The version of the Immich server, mobile app, and other relevant pieces. - Any other information that you think might be relevant. Please paste files and logs with proper code formatting, and especially avoid blurry screenshots. Without the right information we can't work out what the problem is. Help us help you ;) If this ticket can be closed you can use the /close command, and re-open it later if needed.
HZH
HZHOPā€¢5w ago
Zeus
Zeusā€¢5w ago
We gave you the solution last time? Your reverse proxy isnā€™t passing the cert properly This isnā€™t related to immich
HZH
HZHOPā€¢4w ago
There is no problem with the certificate. It can be accessed through the browser and ios application. The browser shows that the certificate was issued by an official organization. It's just that the Android app cannot be linked. It's impossible that just because the Android app cannot be linked means that there is a problem with the certificate... After all, ios apps and browsers can be accessed normally This is the domain name https://nas.hyining.life:9527/
Zeus
Zeusā€¢4w ago
Hello,both wget and curl are extremely widespread URL client/libraries. Until they work without issue, we will not be able to help as this is well beyond an Immich issue. You can test this on your local side. 
$ wget  https://nas.hyining.life:9527/
--2025-04-02 22:47:18--  https://nas.hyining.life:9527/
Resolving nas.hyining.life (nas.hyining.life)... 218.66.162.205, 240e:379:44da:2200::199
Connecting to nas.hyining.life (nas.hyining.life)|218.66.162.205|:9527... connected.
ERROR: The certificate of ā€˜nas.hyining.lifeā€™ is not trusted.
ERROR: The certificate of ā€˜nas.hyining.lifeā€™ doesn't have a known issuer.
$ wget  https://nas.hyining.life:9527/
--2025-04-02 22:47:18--  https://nas.hyining.life:9527/
Resolving nas.hyining.life (nas.hyining.life)... 218.66.162.205, 240e:379:44da:2200::199
Connecting to nas.hyining.life (nas.hyining.life)|218.66.162.205|:9527... connected.
ERROR: The certificate of ā€˜nas.hyining.lifeā€™ is not trusted.
ERROR: The certificate of ā€˜nas.hyining.lifeā€™ doesn't have a known issuer.
$ curl -v https://nas.hyining.life:9527/
*   Trying 218.66.162.205:9527...
*   Trying [240e:379:44da:2200::199]:9527...
* Immediate connect fail for 240e:379:44da:2200::199: Network is unreachable
* Connected to nas.hyining.life (218.66.162.205) port 9527 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
$ curl -v https://nas.hyining.life:9527/
*   Trying 218.66.162.205:9527...
*   Trying [240e:379:44da:2200::199]:9527...
* Immediate connect fail for 240e:379:44da:2200::199: Network is unreachable
* Connected to nas.hyining.life (218.66.162.205) port 9527 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
As you can see the certificate is untrusted by both major URL clients Perhaps the cert issuer is one that is trusted by your operating system, but it is not one of the major global certificate authorities and thus it will not work
CrushedAsian255
CrushedAsian255ā€¢4w ago
See if you can get a Letā€™s Encrypt certificate. Theyā€™re free and trusted by everything
Pyenb
Pyenbā€¢4w ago
I would just try caddy. This is my entire caddyfile for immich and it works perfectly with the automatic HTTPS. 
immich.mydomain.xyz {
    reverse_proxy http://192.168.178.95:2283
}
immich.mydomain.xyz {
    reverse_proxy http://192.168.178.95:2283
}
https://immich.app/docs/administration/reverse-proxy/#caddy-example-config Way easier than nginx IMO
HZH
HZHOPā€¢4w ago
Hello, thank you for your suggestion. The certificate I obtained through win-acme seems to be from Let's Encrypt
No description
No description
HZH
HZHOPā€¢4w ago
thank you very much May I ask if the cadyfile container should also be written in immich's docker-composi.yml? Then run <docker compose up -d>? Or create a dorker container for caddyfile independently or install it directly on the device?
HZH
HZHOPā€¢4w ago
Thank you very much for your help. I can successfully get the results by running the [wget curl] command through a windows server. Is it because you are not in China? This server is not an intranet server. (See screenshot for details) My certificate was obtained through win-acme, which also belongs to Let's Encrypt. I'm trying some other methods to see if caddyfile can solve my problem. Sorry to bother you so many times, thank you very much.
No description
CrushedAsian255
CrushedAsian255ā€¢4w ago
Potentially, are you currently in China? Maybe itā€™s using a certificate that is only trusted on Chinese devices
bo0tzz
bo0tzzā€¢4w ago
Let's encrypt only gives out globally trusted certificates
CrushedAsian255
CrushedAsian255ā€¢4w ago
Iā€™m thinking the Chinese GFW may be doing some shenanigans potentially
bo0tzz
bo0tzzā€¢4w ago
~ āÆ openssl s_client nas.hyining.life:9527     
Connecting to 218.66.162.205
CONNECTED(00000003)
depth=0 CN=*.hyining.life
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=*.hyining.life
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=*.hyining.life
verify return:1
---
Certificate chain
 0 s:CN=*.hyining.life
   i:C=US, O=Let's Encrypt, CN=R11
   a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar  6 07:17:41 2025 GMT; NotAfter: Jun  4 07:17:40 2025 GMT
---
~ āÆ openssl s_client nas.hyining.life:9527     
Connecting to 218.66.162.205
CONNECTED(00000003)
depth=0 CN=*.hyining.life
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=*.hyining.life
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=*.hyining.life
verify return:1
---
Certificate chain
 0 s:CN=*.hyining.life
   i:C=US, O=Let's Encrypt, CN=R11
   a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar  6 07:17:41 2025 GMT; NotAfter: Jun  4 07:17:40 2025 GMT
---
Like was already mentioned before: The reverse proxy is not sending the full certificate chain
HZH
HZHOPā€¢4w ago
But my Android device was also visited in China...:Cryge:
bo0tzz
bo0tzzā€¢4w ago
For comparison: 
~ ā® openssl s_client bo0tzz.me:443                                                                                                                                                                                                                                                               āœ˜ INT
Connecting to 45.142.19.143
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R10
verify return:1
depth=0 CN=bo0tzz.me
verify return:1
---
Certificate chain
 0 s:CN=bo0tzz.me
   i:C=US, O=Let's Encrypt, CN=R10
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 17 09:04:19 2025 GMT; NotAfter: Jun 15 09:04:18 2025 GMT
 1 s:C=US, O=Let's Encrypt, CN=R10
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
~ ā® openssl s_client bo0tzz.me:443                                                                                                                                                                                                                                                               āœ˜ INT
Connecting to 45.142.19.143
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R10
verify return:1
depth=0 CN=bo0tzz.me
verify return:1
---
Certificate chain
 0 s:CN=bo0tzz.me
   i:C=US, O=Let's Encrypt, CN=R10
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 17 09:04:19 2025 GMT; NotAfter: Jun 15 09:04:18 2025 GMT
 1 s:C=US, O=Let's Encrypt, CN=R10
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
CrushedAsian255
CrushedAsian255ā€¢4w ago
Ah makes sense What probably is happening is the ACME tool gives you both the single cert and the chained cert OP probably just imported the wrong one @HZH can you screenshot the list of files win-acme generated?
HZH
HZHOPā€¢4w ago
No description
CrushedAsian255
CrushedAsian255ā€¢4w ago
Which one are you using on the site?
HZH
HZHOPā€¢4w ago
No description
CrushedAsian255
CrushedAsian255ā€¢4w ago
That is the issue, crt only sends the certificate itself, not the chain of trust you most likely need the -chain file
HZH
HZHOPā€¢4w ago
Switch to another certificate? The next two? hyining.life-chain-only.pem hyining.life-chain.pem
CrushedAsian255
CrushedAsian255ā€¢4w ago
no, key is fine, just replace crt with chain or may need to concatenate if you are running a different version First try chain before trying anything else though
HZH
HZHOPā€¢4w ago
For this area, it is my knowledge blind spot... Is it okay to modify this?
No description
bo0tzz
bo0tzzā€¢4w ago
yes
CrushedAsian255
CrushedAsian255ā€¢4w ago
That looks right If that doesnā€™t work I have another idea You may (probably?) also need to restart Nginx after saving config change
Pyenb
Pyenbā€¢4w ago
It should work in the same file, but I would move it to a seperate one. If you update the docker compose file, when a new version releases, you would have to re-add it every time. With a seperate stack you don't have to do that. In my setup Immich and Caddy are running on entirely different Servers and are connected via tailscale, to basically "obfuscate" my Home servers IP Address, as I also hit the same problem as a lot of other people with Cloudflares 100mb uplaod limit. Or, depending on your setup, you don't need docker for caddy at all. On my "proxy" server I just have caddy running bare metal
HZH
HZHOPā€¢4w ago
My God... There are still mistakes
No description
HZH
HZHOPā€¢4w ago
Android still cannot access...
No description
CrushedAsian255
CrushedAsian255ā€¢4w ago
Still says invalid cert, @bo0tzz can you rerun OpenSSL?
Pyenb
Pyenbā€¢4w ago
Off topic but whare are you using for your posts on your website? @bo0tzz
CrushedAsian255
CrushedAsian255ā€¢4w ago
Please ask this in off-topic if you know this is off-topic
Pyenb
Pyenbā€¢4w ago
:(

Did you find this page helpful?