immich-app / immich

High performance self-hosted photo and video management solution.
https://immich.app
GNU Affero General Public License v3.0
49.79k stars 2.63k forks source link

Android app reports Handshake Exception when SSL certs are valid #7668

Closed russelltg closed 7 months ago

russelltg commented 7 months ago

The bug

I have a immich server setup behind a reverse proxy with certs from letsencrypt. Firefox on my Desktop and chrome on my phone both can connect to the website and have no warnings about self-signed certs, and say "Connection secure." But when I login in the app, it gives a handshake exception. If I go to settings and enable self-signed certs, it works properly, however this should not be required.

I'm happy to send my server URL to a maintainer, but would prefer to send it over email to avoid bots/etc.

The OS that Immich Server is running on

OpenWRT snapshot 02/19/2024

Version of Immich Server

v1.97.0

Version of Immich Mobile App

v1.97.0

Platform with the issue

Your docker-compose.yml content

name: immich

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    command: [ "start.sh", "immich" ]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      #- /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    ports:
      - 2283:3001
    depends_on:
      - redis
      - database
    restart: unless-stopped
    networks:
      - immich

  immich-microservices:
    container_name: immich_microservices
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/hardware-transcoding
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    command: [ "start.sh", "microservices" ]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      #- /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    depends_on:
      - redis
      - database
    restart: unless-stopped
    networks:
      - immich

  immich-machine-learning:
    container_name: immich_machine_learning
    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
    #   file: hwaccel.ml.yml
    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    volumes:
      - model-cache:/cache
    env_file:
      - .env
    restart: unless-stopped
    networks:
      - immich

  redis:
    container_name: immich_redis
    image: arm64v8/redis:7.2.4-alpine
    restart: unless-stopped
    volumes:
      - ./redis:/usr/local/etc/redis
    command: /usr/local/etc/redis/redis.conf
    networks:
      - immich

  database:
    container_name: immich_postgres
    image: registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
    volumes:
      - pgdata:/var/lib/postgresql/data
    restart: unless-stopped
    networks:
      - immich

volumes:
  pgdata:
  model-cache:

networks:
  immich:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br-immich

Your .env content

UPLOAD_LOCATION=./library

# The Immich version to use. You can pin this to a specific version like "v1.71.0"
IMMICH_VERSION=release

# Connection secret for postgres. You should change it to a random password
DB_PASSWORD=postgres

# The values below this line do not need to be changed
###################################################################################
DB_HOSTNAME=immich_postgres
DB_USERNAME=postgres
DB_DATABASE_NAME=immich

REDIS_HOSTNAME=immich_redis

Reproduction steps

1. Attempt to login using the mobile app
2. Get error

Additional information

No response

JW-CH commented 7 months ago

Some more information like the android log would be helpful. Could you post your log (censor domains/IPs if needed) here? Thanks

russelltg commented 7 months ago

Unfortunately nothing that useful in them--

created_at,level,context,message,stacktrace
2024-03-07 07:34:03.548258,LogLevel.SEVERE,"HttpSSLCertOverride","Invalid SSL certificate for immich.xxx.com:443",""
2024-03-07 07:34:03.478698,LogLevel.SEVERE,"HttpSSLCertOverride","Invalid SSL certificate for immich.xxx.com:443",""
2024-03-07 07:34:03.412635,LogLevel.SEVERE,"HttpSSLCertOverride","Invalid SSL certificate for immich.xxx.com:443",""
2024-03-07 07:34:03.350590,LogLevel.SEVERE,"HttpSSLCertOverride","Invalid SSL certificate for immich.xxx.com:443",""
2024-03-07 07:34:03.298072,LogLevel.SEVERE,"HttpSSLCertOverride","Invalid SSL certificate for immich.xxx.com:443",""
2024-03-07 07:34:03.251440,LogLevel.SEVERE,"HttpSSLCertOverride","Invalid SSL certificate for immich.xxx.com:443",""
2024-03-07 07:34:03.195933,LogLevel.SEVERE,"HttpSSLCertOverride","Invalid SSL certificate for immich.xxx.com:443",""
2024-03-07 07:34:03.132691,LogLevel.SEVERE,"HttpSSLCertOverride","Invalid SSL certificate for immich.xxx.com:443",""
2024-03-07 07:34:03.076432,LogLevel.SEVERE,"HttpSSLCertOverride","Invalid SSL certificate for immich.xxx.com:443",""
2024-03-07 07:34:03.019777,LogLevel.SEVERE,"HttpSSLCertOverride","Invalid SSL certificate for immich.xxx.com:443",""
2024-03-07 07:34:02.952515,LogLevel.SEVERE,"HttpSSLCertOverride","Invalid SSL certificate for immich.xxx.com:443",""
2024-03-07 07:33:59.967516,LogLevel.SEVERE,"HttpSSLCertOverride","Invalid SSL certificate for immich.xxx.com:443",""

Updated to 1.98.1 and still see the issue.

jrasm91 commented 7 months ago

What type of phone and what model year?

russelltg commented 7 months ago

It's a Pixel 7, running android 14 build UQ1A.240205.002

jrasm91 commented 7 months ago

It's a Pixel 7, running android 14 build UQ1A.240205.002

Can you DM or email me the server name?

russelltg commented 7 months ago

Done. Realizing it may be relevant that the cert is issued for *.xxx com, not specifically immich.xxx.com, altho I believe this should be valid.

vmirage commented 7 months ago

I'm also getting this problem after switching from vanilla Nginx to Nginx Proxy Manager. Not sure what's the difference in the configuration. I tried modifying the ssl settings from my old nginx to match the settings in nginx proxy manager (and vice versa) to be the same yet it works with nginx but not with nginx proxy manager.

JW-CH commented 7 months ago

Done. Realizing it may be relevant that the cert is issued for *.xxx com, not specifically immich.xxx.com, altho I believe this should be valid.

Wildcard certs should be totally fine. Mine is working too.

I'm also getting this problem after switching from vanilla Nginx to Nginx Proxy Manager. Not sure what's the difference in the configuration. I tried modifying the ssl settings from my old nginx to match the settings in nginx proxy manager (and vice versa) to be the same yet it works with nginx but not with nginx proxy manager.

NPM should not be the problem at all, I have a working configuration.

vmirage commented 7 months ago

I figured out my problem. I forgot to include the intermediate certificate.

jrasm91 commented 7 months ago

I figured out my problem. I forgot to include the intermediate certificate.

When I get to my desk this is what I was going to double check.