iOS unable to access server with self signed SSL
I have Immich running on port 2283 which I can access fine through the web browser and the mobile app through http, but another version running with nginx-proxy-manager using a self signed SSL certificate which works fine in the browser, but does not allow me to login through the mobile app. I am using an iPhone 11 Pro Max with iOS 16.3 and both the server and client are up to date.
24 Replies
The http module in the mobile app does not allow using self-signed certificates.
Oh... would this mean I require a domain name then?
That, or another service that would provide a reverse proxy with TLS termination. I think most people who expose it outside of their home use their own domain.
I'd suggest DuckDNS - https://duckdns.org
Duck DNS
Duck DNS free dynamic DNS hosted on Amazon VPC
I'm not really looking to expose it outside of my home, though.
You just want https on your local network? I don't think there's any way to use the mobile app with https without a valid certificate.
I don't think https on your LAN is worth the effort, you should probably just use http
Alright, thanks for the help guys. I may just be overly cautious trying to use https on my LAN.
Really the only way it could get exposed is if your router got hacked
https is great to use, even locally, but specifically for immich and the mobile app, it just doesn't work unless you have a non-self signed cert.
Could try this:
https://support.apple.com/en-us/HT204477
Apple Support
Trust manually installed certificate profiles in iOS and iPadOS
If you manually install a profile that contains a certificate payload in iOS and iPadOS, that certificate isn't automatically trusted for SSL. Learn how to manually trust an installed certificate profile.
Thanks. I'll take a look.
Oh, maybe that's not for general consumer. I was wondering if there would be a way to update "root certificates" that your phone trusts and maybe that would make it possible to use a non-public cert with immich. Other than that, I'd guess out of luck.
I don't think dart actually uses the system root store
@directly Hello, you can also generate a self signed certificate with Let's Encrypt on your server proxy (nginx). You will have a clean https on your DNS. It's free. I did it and work well.
You can also setup tailscale, enable https and get the cert from there.
Once you get the cert, you can either disable tailscale and add a manual dns entry for that domain or just use it via tailscale.
iOS simply does not work with self signed SSL. get a signed cert and serve with that.
and the signed cert can easily be done with caddy and a dns challenge. No need to open any ports and expose yourself to the internet
The way WD do it with their home cloud device is provide a guid subdomain of their public .com, DNS A record pointing to your 192.168.. and a wildcard TLS cert on their public domain
They put wildcard certs on devices that are in people's homes? That sounds sketchy 🤔
you get a https://device-local-guid.remotewd.com domain where the A record is the local address of 192.168.1.2 or whatever. So you get HTTPS on your lan without any self signed certs
What's the CN of the certificate though? You said wildcard, so I would assume *.remotewd.com? That seems pretty unsafe
oh, its a lets-encrypt cert for that subdomain, not wildcard
anyway, its a real nice solution
That makes more sense lol
In that case, yeah, pretty nice