Issue Uploading after domain change
Hello. I was able to upload my images using:
docker run --rm -v "/mnt/transfer/pictures/me:/import" ghcr.io/immich-app/immich-cli:latest upload --key removedforprivacy --server https://mydomain.com:port/api --recursive --threads 12 --yes
I recently changed the address from mydomain.com:port to immich.mydomain.com:
docker run --rm -v "/mnt/transfer/pictures/me:/import" ghcr.io/immich-app/immich-cli:latest upload --key removedforprivacy --server https://immich.mydomain.com/api --recursive --threads 12 --yes
Checking connectivity with Immich instance...
Error connecting to server - check server address and port
I can access immich just fine using that subdomain (via the web or app), its just when using the CLI Upload tool that it fails. I tried immich.mydomain.com:443/api as well since that is the port its going through. Am I missing something?
31 Replies
Are you using a self signed https cert?
You can access the web app from the same machine without a problem? What is the route been the host and the immich server? Is it host to done reverse proxy to immich?
@bo0tzz No, immich is behind a Caddy reverse proxy with a Lets Encrypt signed certificate. @jrasm91 Its a headless server, so I don't have a browser / gui installed. What is the best way to test this? I am able to access the web app from other machines. I'm not sure if I'm technical enough to answer your question correctly but: Host > Internet > Caddy Docker > Immich Docker. Yes, there is a Caddy Reverse proxy that forwards 443 traffic to the proper subdomain. I have many services running so this is how I seperate them.
Can you access the immich web app from a machine on your network? And you should be able to check connectivity yourself by sending a curl request to /api/server-info/ping
The server is on a VLAN for security reasons, so there isn't another machine on the same network. I tried curl immich.mydomain.com/api/server-info/ping but nothing came back.
It sounds like you have a network issue or something like that.
You should be more specific with regards to "nothing came back". Was it a network timeout error or an empty response?
Empty response.
I get: {"res":"pong"} when I put that url into a browser.
So I made a mistake when I put it into curl. I forgot the https:// - now I get curl:
(60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html
But its not a self signed certificate.
Can you run it with
-v for more logs?
You more than likely have something misconfigured. I'd guess it is routing traffic to the wrong web-server.* Trying myip:443...
* Connected to immich.myserver.com (myip) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self-signed certificate
What configuration should I take a look at?
If you view the certificate in the browser, what does it say? (Ideally send a screenshot)
Maybe a good test would be to bypass Caddy & the certificate by opening a port in docker so I can access it locally. Which service / port would that be for the api?
Another side note: I use this project to display all of my services. It has a feature where you can connec a service api and display some info. For immich, its total photos, storage size, etc. That isn't working either. I tried delete and recreating the api key but I still get an error. https://github.com/benphelps/homepage
GitHub
GitHub - benphelps/homepage: A highly customizable homepage (or sta...
A highly customizable homepage (or startpage / application dashboard) with Docker and service API integrations. - GitHub - benphelps/homepage: A highly customizable homepage (or startpage / applica...
I'm not sure if they are related, but thought I should mention it.
Are you still using immich_proxy or did you remove that?
Either way, give https://immich.app/docs/administration/reverse-proxy a read to make sure your setup is correct
Reverse Proxy | Immich
When deploying Immich it is important to understand that a reverse proxy is required in front of the server and web container. The reverse proxy acts as an intermediary between the user and container, forwarding requests to the correct container based on the URL path.
Try running that pointed to your server, from whatever box you are trying to use the cli upload tool
The issue is likely related in the sense that its a messy ssl cert
@bo0tzz I removed immich proxy and I'm using Caddy instead. I visted that page, but I'm not sure how to convert that to Caddy's config. I can share it here if it helps but its worked in the past. @ttmx That would make sense. I just added the subdomain so maybe something went wrong when it pulled the cert. How do I point that fuction to my server? Do I just run that at the command line?
yeah just run that in bash and then run
seecert immich.yourdomain.extOk, I'll try that now.
just making sure, you don't have cloudflare or anything else?
No
function seecert (immich.mydomain.com) {
nslookup $1
(openssl s_client -showcerts -servername $1 -connect $1:443 <<< "Q" | openssl x509 -text | grep -iA2 "Validity")
}
-bash: syntax error near unexpected token `{'
>
I also tried https://immich.mydomain.com
wait I messed up give me a sec
Try this
you can forego the nslookup tbh
I'm not very versed in openssl client, this is from stackoverflow
I may not have realised that this answer was for windows 😎
works on my machine though
I'm using ubuntu linux. Where should I put the immich domain using the new fuction?
I tried putting it after seecrt but that didn't work.
Just run the commands one at a time if it's not working
Put this handler in your Caddyfile:
And example Caddy container in immich docker-compose.yml:
This kit works flawlessly for me.
@jurekl Thank you for the example config file. I compared it to my own, they are identical except the option comporession, which I added.
@jrasm91 @ttmx So I re-read this thread and it got me thinking. Is this an Immich Issue, a Certificate Issue, or a Network issue. I'm leaning towards a network config issue on the host because other machines, on different networks can get a response from: curl "https://immich.mydomain.com/api/server-info/ping". That seems to me that the domain, immich, and the certificate are working fine. Maybe its a DNS issue on the host. I'm open to any support your willing to give but I understand this is beyond the scope of immich support. I just created a vlan to seperate the networks and I may have broke something along the way. I'm very new to VLANS and mostly set it up so I can learn more. As another test I'm going to spin up a virtual server on a differnt network and see if I can run the immich cli on that network. Then we will know for sure which of the 3 it is.
I also get curl:
(60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html
when I curl other services on the host, but it works fine when on another network.
Sounds good. I'm fairly confident this is not an immich issue and probably is not a cert issue either.
I agree with you. Thanks again for your help. All of the other services were working fine. This was the only issue I had when moving over to the new network so I concluded it had to be immich. Sorry about that.
No worries. Best of luck getting it sorted. I've never used vlans myself. I just rely on docker networking to isolate containers and whitelist available ports
(via bridge network)
Yea thats the way I've been doing it as well. Ijust figured I'd give it a try since my router has the funtionality. I also have 50+ services running so lot of surface area to attack.