Cannot connect from Android app: "TLS/SSL communication failed: POST /oauth/config"
I have everything set up and working via the web UI, but I am unable to log in from the Android mobile app. On the first screen in the app I enter my server endpoint url (https://xxxxxxx.xxx/api). When I click 'Next', the following error appears in a popup and I cannot continue: "TLS/SSL communication failed: POST /oauth/config"
I am running the latest versions of both the server and mobile app (tried installing both from F-Droid and from the Play Store).
There doesn't appear to be any relevant errors in the docker compose logs so I'm at a loss on how to proceed. Any advice would be appreciated! Let me know if there are additional relevant details that I can provide
40 Replies
Does your server have a valid https certificate?
Worth looking at the mobile app logs as well
The mobile app logs are empty :/
I have a reverse proxy (Caddy) in front of the server with an https certificate if that's what you mean. I can access the web UI over https without issues
I also have password login disabled, I'm using OAuth login exclusively. Not sure if that's relevant
I wrote on main channel, but have same problem Android and iOS, server on Mint
Does IP work? With the phone
Like can you try and tell us what works of these situations?
Local network, web via IP
Local network mobile app via IP
Remote network, web via DNS
Remote network, mobile browser via DNS
Remote network, mobile app via DNS
I do not have the IP address exposed through the firewall, but I can give that a try. When connecting by domain name everything works on web (desktop) and mobile browser, but not the with mobile app
On the remote network or local or both?
The other thing you can try is putting https://demo.immich.app/api and replace your domain. Basically https and include /api
I've only tried connecting from my local network. I can also try connecting remotely and report back
The mobile app has some restrictions around what it considers a valid certificate. It has to be trusted by darts (language we use) own root store, not a self signed one.
It's a Let's Encrypt certificate, not self-signed
That should work fine then.
Local network, web via IP or DNS -> works
Local network, mobile browser via IP or DNS -> works
Local network, mobile app via DNS -> does not work
Local network mobile app via IP -> works
Remote network, web via DNS -> did not test
Remote network, mobile browser via DNS -> works
Remote network, mobile app via DNS -> does not work
Can you make sure to check the DNS name on your mobile app that use
https://Sorry had to step away before I was able to finish writing my message. In summary, connecting via a web browser seems to work in all scenarios, but when connecting via the Android app I am only able to connect via IP address (domain name does not work).
I have tried with both https and http. Using https is what I originally tried and gives the error
TLS/SSL communication failed: POST /oauth/config.
Using http does not give that error and brings be to the next screen to enter an email address and password. However, this screen does not seem correct since it does not give me an option to use OAuth. I have tried logging in from this screen using the admin email and password but I get the error Error logging you in, check server URL, email and password. I wouldn't expect connecting via http to work anyways, my reverse proxy enforces all connections to use httpsSo you are configure your server with OAuth, is that correct?
Yes, and I have password login disabled
Can you try disable OAuth first
and try login normally to cut down on the potential error?
Okay, I'll try that
Okay, I disabled OAuth login and re-enabled password login, but still got the same error
To clarify, I do not get to the password login screen, the error appears on the very first server endpoint URL screen
Try click on it again?
what is your Caddy config looks like?
I've tried clicking the 'Next' button many times, but get the same error every time
Here is the relevant portion of the Caddy config (with sensitive info removed)
Hmm looks alright with me
If it would help, I can DM you the actual domain name then you can test connecting with the mobile app yourself
the only differnt I have in my Caddy config is I wrapped
I don't think it makes a different
Yes, please do
Yeah, I think they are equivalent
I can try the debug version of the app and check the log
Perfect, just sent you a message
Ok everything works well on my end
https://domain.info as the url
https://domain.info/api also worksDang :/ Maybe I'll try with a different phone
Which phone did you use?
Okay, I tested it on an iPhone and it works. My Android phone it doesn't work on is a Samsung Galaxy S5 Neo
It's running Android 7 (Nougat)
How interesting
Which I guess is an out-of-support Android version
I still use it as my daily driver though. I don't usually run into issues like this
This may be relevant: https://stackoverflow.com/a/69511058/1988326
Stack Overflow
Flutter on Android 7 CERTIFICATE_VERIFY_FAILED with LetsEncrypt SSL...
After Sept 30, 2021, https get/post requests to a website using a Let's Encrypt SSL ceritificate on an old Android 7 device were failing with this error:
HandshakeException: Handshake error in clie...
Oop, that's a rough one to run into
Yeah oof :/
I don't think it's feasible for us to apply the workaround from that post, but what you can try is to use another CA for your immich cert: https://caddy.community/t/using-zerossls-acme-endpoint/9406
Caddy Community
Using ZeroSSL's ACME endpoint
ZeroSSL is an ACME-compatible certificate authority alternative to Let’s Encrypt. ZeroSSL’s ACME endpoint is already compatible with Caddy because it implements RFC 8555. But Caddy 2.2 has more convenient support for ZeroSSL because it will automatically generate the necessary External Account Binding (EAB) credentials for you. As of Caddy 2.2...
I found a couple workaround in the dart repo as well. Not sure if any of these are feasible or different than the ones from Stack Overflow:
https://github.com/dart-lang/io/issues/83#issuecomment-936130566
https://github.com/dart-lang/io/issues/83#issuecomment-940617222
GitHub
CERTIFICATE_VERIFY_FAILED on domain with Let's Encrypt certificate ...
Background Info: DST Root CA X3 expired on September 30, 2021. More Info here: https://scotthelme.co.uk/lets-encrypt-old-root-expiration/ Steps to reproduce issue: On an Android 7.0 Nougat emulator...
Looks like the error is also reproducible using the Android emulator if anyone took pity on me and wants to look into it haha. I understand it's a pretty obscure error from an out-of-support Android version though. I can look into using a different certificate if needed, thanks for the link I wouldn't have thought to try that!
I did a bit more reading and found that there are a several other issues with using the default HTTP client in Dart on Android (https://github.com/dart-lang/sdk/issues/48056, https://github.com/dart-lang/sdk/issues/50434, https://github.com/dart-lang/sdk/issues/50435). It looks like the recommended action in Dart moving forward will be deprecate
HttpClient in the dart:io package and they will recommend using package:http, package:cupertino_http, and package:cronet_http moving forward instead (see this in-progress design doc: https://docs.google.com/document/d/1Qw6hrvufQuA5V8ZQ1vXzVgBPFrKMQzmxNiie6_HwB90). The new packages use the native HTTP client implementations, which should solve all the above mentioned issues.
Not sure if there's any action to be taken at the moment, but I just thought I'd share what I learnedThank you
Needed a couple months break after running into this frustrating wall last time I tried to set up Immich. But using a different CA was a good idea, thank you! I got some time to try again today, switched to using ZeroSSL, and my phone was able to connect without issues 🎉