SSL Client Certificate not working?
Hi,
I've tried setting up an SSL Client Certificate though mTLS on Cloudflare. But for the life of me I can't get it to work in the Immich app, despite the fact it feels like it should be possible.
Specifically I have set it up in Cloudflare to get my URL. This works in Chrome. I get a popup saying it wants to authenticate with the certificate (installed into Android) and it happily then lets me access the system via the web. It works on my PC in firefox. But if I "Import" the SSL Client Certificate into Immich, it just doesn't do anything...
I get "Server is not reachable". And if I check the logs it's just being blocked by Cloudflare and appears to be showing the HTML for if you don't provide a certificate
Any ideas what I'm doing wrong? Are there some endpoints that have to not be protected by the mTLS?
16 Replies
:wave: Hey @Pluckerpluck,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.
Successfully submitted, a tag has been added to inform contributors. :white_check_mark:I am confused. You're talking about the mobile app but shared a screenshot of web?
Give me a moment, I'm just trying to copy through the logs of the error and it should make sense
Imagine that has enough resolution to be understandable... but basically the entirety of "Details" is the HTML of the web screenshot I showed
#0 ServerApi.pingServer (package:openapi/api/server_api.dart:494)
<asynchronous suspension>
#1 Future.timeout.<anonymous closure> (dart:async/future_impl.dart:1043)
<asynchronous suspension>
#2 ApiService._isEndpointAvailable (package:immich_mobile/services/api.service.dart:115)
<asynchronous suspension>
#3 ApiService.resolveEndpoint (package:immich_mobile/services/api.service.dart:100)
<asynchronous suspension>
#4 ApiService.resolveAndSetEndpoint (package:immich_mobile/services/api.service.dart:76)
<asynchronous suspension>
#5 AuthService.validateServerUrl (package:immich_mobile/services/auth.service.dart:57)
<asynchronous suspension>
#6 LoginForm.build.getServerAuthSettings (package:immich_mobile/widgets/forms/login/login_form.dart:104)
<asynchronous suspension>
Ah I see
#15230
mTLS isn't properly supported and comes with some quirks here and there
Which in part is also due to the libraries we're using, not just because of Immich
Yeah, I just didn't expect that quirk to be me failing to log in at the first hurdle. People seem to have got past this point
Though I do get it's experimental, and if I have to I'll live with using a VPN for remote connections
Or just drop mTLS tbh
Very few people here actually use mTLS. Many security conscious people/people working in the industry don't for their homelab
Yeah, the alternative is VPNing in in some way, or just trusting Immich to never have a security vulnerability...
First is a pain for less technical users vs just installing a certificate. Second is riskier given that my entire photo library is decently sensitive
Realistically our auth is so simple that it's more likely an underlying library will F up. In that case it's unlikely someone will actually waste a vulnerability they found on something as boring as people's Immich instance tbh
That's fair, and good to know at least
If you want to improve security, use OAuth
Sensitive in a privacy manner, or in a way that third parties would pay people to get to it? 😅
Privacy 😛 Trying to get my GF to back up her photos, but she doesn't even want to stick them on Google Photos for fear her account will be hacked one day
Then you should absolutely be fine
Besides some bots trying like random passwords I doubt you'll see any attacks
Nobody here does