Android app connection over HTTPS fails: "TLS/SSL communication failed: POST /oauth/config"
Attempting to connect to the server endpoint (https://immich-server.ddns.net:28376/api) fails with "TLS/SSL communication failed: POST /oauth/config". This is a brand new docker setup on Ubuntu Server. Nginx is acting as reverse proxy on the same machine to support HTTPS with a publicly trusted certificate. The problem only occurs from the Android app on the three devices tested. On iOS the app does connect taking to the login page. The Immich webpage is trusted by the browsers in all devices and logging in works. All operations (uploading, deleting, listing, etc) seem to function as expected from mobile and PC browsers.
Nginx debug log records an SSL handshake failure as the Android app errors out:
2023/06/09 17:04:50 [debug] 4811#4811: *2 SSL_do_handshake: -1
2023/06/09 17:04:50 [debug] 4811#4811: *2 SSL_get_error: 6
2023/06/09 17:04:50 [info] 4811#4811: *2 peer closed connection in SSL handshake while SSL handshaking, client: 192.168.1.115, server: 0.0.0.0:28376
2023/06/09 17:04:50 [debug] 4811#4811: *2 close http connection: 20
The Immich app log is empty.
If the app is pointed to the HTTP endpoint the error does not occur, even if going through the reverse proxy (after disabling HTTPS). So, I'd think that the problem is solely related to my nginx config, but then I wonder why the problem is restricted to the Android client. In any case, I'll appreciate suggestions.
I posted the config files on a GitHub issue. (Didn't want to make this post that long.) -> https://github.com/immich-app/immich/issues/2711
GitHub
[BUG] TLS/SSL communication failed: POST /oauth/config · Issue #271...
The bug Attempting to connect to the server endpoint (https://immich-server.ddns.net:28376/api) fails with "TLS/SSL communication failed: POST /oauth/config" This is a brand new docker se...
29 Replies
have you had a chance to use port 443 insteaed?
Hi Alex. I did as per your comment on GitHub. But the problem still behaves the same.
after you use port 443 what url did you use for the mobile app?
and just to confirm this is not a self-sign cert, correct?
I used https://immich-server.ddns.net/api and https://immich-server.ddns.net:443/api
Correct, not self-signed but signed by a public CA. Initially I had one signed by my internal CA. Thinking that that was the problem I than obtain a public one.
is it LetsEncrypt?
It's signed by USERTrust. The full chain is USERTrust -> Sectigo -> Immich server.
Do you mind try different reverse proxy like Caddy?
I've thought of that but am not sure how it would interact with immich-proxy
well you can think immich-proxy is just a normal web app
you just need to redirect everything back to the serverip:2283
then the internal proxy will handle other routing 🙂
Then it's pretty easy. I'll try that. Thanks! Loving Immich, btw.
here is my caddy config
Are you doing HTTPS to Immich?
yep Caddy automatically use letsencrypt to generate certificate for you
all you need to do is that one line
That's pretty great. LetsEncrypt doesn't do custom ports, does it? Meaning, port 80 has to be externally open.
I am not sure you will have to research about this
That's what I've read before, but maybe there's a way already. I'll definitely setup Caddy tomorrow.
Based on the SSL logs, the mobile app is closing the connection for some reason. It would be great to get detailed logs from the mobile app that would explain why as this has happened to several people and there isn't a lot of information about why. I've seen it with valid SSL certs.
Any chance you could reproduce it in debug build @Alex ?
I haven;t run into this issue in debug build because most of the site I access using LetsEncrypy
So, I replaced nginx by Caddy as reverse proxy. Using the same certificate. Still the same behavior in the Android app. The iOS app works like a charm. The web app has no issues either, even on Safari. The debug log on Caddy registers when the app errors out: http: "TLS handshake error from 192.168.1.115:48546: EOF"
My theory is that a library is not liking something in the certificate, but what? Other certificates signed by the same CA have been in use for years without hiccup from many apps, which makes this problem even more mystifying.
If you are using LetsEncrypt cert, does it work?
No, I don't use LetsEncrypt so far. However... fixed!
It was my certificate chain missing an intermediate certificate, which in theory is not needed because it has transitive trust from the root certificate. But some strict SSL libraries do require it. I got a big hint towards the solution by trying the Immich web app from Brave on iOS, which didn't trust the certificate.
Thanks for the support!
No problem, thank you for trying to solve the issue so we can refer to this later if anyone has similar problem
Is there any way we can log these errors in the mobile app?
That would have been really beneficial. In the app there's a setting to set the logging level, but only after you sign in.
Aren't those logs available in the "Logs" button? You can see "Logs" button at the bottom of the screen.
Yes, but I don't think there is anything in them for SSL issues.
My app logs were empty when I was having the problem
interesting. You might need to set the debug flag somehow
actually i got this error in android app when i entered wrong URL