Mobile Immich - using self signed certificates fails to download photos or play videos

[ckuyehar]

The bug

It appears that the mobile app depends on a package called background_downloader. This package:

1. Does not allow self-signed certificates in release mode.
2. Nor does it abide by the mobile platform PKI trust store. Ie, standing up mutual TLS and trusting your CA and importing a client certificate.

So... if you have a self-signed TLS nginx reverse proxy setup. You will not be able to download images or play videos. You can successfully view images and upload images. 👍

If we can get this fixed I'll be happy to document a mutual TLS nginx reverse proxy setup guide that allows Immich user's to host Immich securely on the Internet.

The OS that Immich Server is running on

Ubuntu 24.04.1 LTS

Version of Immich Server

v1.123.0

Version of Immich Mobile App

v1.123.0 build.172

Platform with the issue

• Server
• Web
• Mobile

Your docker-compose.yml content

#
# WARNING: Make sure to use the docker-compose.yml of the current release:
#
# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
#
# The compose file on main may not be compatible with the latest release.
#

name: immich

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends:
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    volumes:
      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    ports:
      - '2283:2283'
    depends_on:
      - redis
      - database
    restart: always
    healthcheck:
      disable: false

  immich-machine-learning:
    container_name: immich_machine_learning
    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
    #   file: hwaccel.ml.yml
    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    volumes:
      - model-cache:/cache
    env_file:
      - .env
    restart: always
    healthcheck:
      disable: false

  redis:
    container_name: immich_redis
    image: docker.io/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always

  database:
    container_name: immich_postgres
    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    healthcheck:
      test: >-
        pg_isready --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" || exit 1;
        Chksum="$$(psql --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" --tuples-only --no-align
        --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')";
        echo "checksum failure count is $$Chksum";
        [ "$$Chksum" = '0' ] || exit 1
      interval: 5m
      start_interval: 30s
      start_period: 5m
    command: >-
      postgres
      -c shared_preload_libraries=vectors.so
      -c 'search_path="$$user", public, vectors'
      -c logging_collector=on
      -c max_wal_size=2GB
      -c shared_buffers=512MB
      -c wal_compression=on
    restart: always

volumes:
  model-cache:

Your .env content

# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables

# The location where your uploaded files are stored
UPLOAD_LOCATION=./immich-data
# The location where your database files are stored
DB_DATA_LOCATION=./postgres

# To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
TZ=Pacific/Honolulu

# The Immich version to use. You can pin this to a specific version like "v1.71.0"
IMMICH_VERSION=release

# Connection secret for postgres. You should change it to a random password
# Please use only the characters `A-Za-z0-9`, without special characters or spaces
DB_PASSWORD=[redacted]

# The values below this line do not need to be changed
###################################################################################
DB_USERNAME=postgres
DB_DATABASE_NAME=immich

Reproduction steps

1. Setup self-signed TLS nginx reverse proxy.
2. Configure the Immich mobile app to use the TLS nginx reverse proxy.
3. Before attempting login, click the gear/settings button. Enable the "Allow self-signed SSL certificates" feature.
4. Login to the Immich mobile app
5. Select a photo that you know does not exist on the mobile device
6. While viewing the photo, in the lower right toolbar there will be a download button. Click the download button.
7. After clicking download, a toast like message will appear indicating "Download failed [filename]"
   ...

Relevant log output

The Immich mobile app does not have any relevant logs related to download failures.

Additional information

If you perform a packet capture of traffic in transit, you'll see that immediately after clicking download the background_downloader reports TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown).

[ckuyehar]

Related issues:

• Mobile App Issues: Crashing on video playback and Media refresh issue post deletion from mobile #14845 (comment)
• [BUG] No remote movie can be played on Immich Mobile using a Self Signed CA and a proxy in front of IMMICH server/microservices #5553 (comment)
• Background downloader does not take HTTP configuration into account causing asset downloads to fail for certain HTTP configurations #14945 (comment)

Related pull requests:

• feat(mobile): trust user-added CAs #14403

[9dc]

same Problem here. cant download any photos since i use mTLS certs. login and viewing works.

[mmomjian]

Related issues:

• Mobile App Issues: Crashing on video playback and Media refresh issue post deletion from mobile #14845 (comment)
• [BUG] No remote movie can be played on Immich Mobile using a Self Signed CA and a proxy in front of IMMICH server/microservices #5553 (comment)
• Background downloader does not take HTTP configuration into account causing asset downloads to fail for certain HTTP configurations #14945 (comment)

Related pull requests:

• feat(mobile): trust user-added CAs #14403

Thanks. This is a known duplicate of the issues you’ve mentioned so I’ll close this one.

[ckuyehar]

@9dc i just created a guide documenting how to securely setup TLS reverse proxy on the Internet for anywhere Immich mobile app use.

you can review these docs, https://github.com/ckuyehar/immich/blob/ckuyehar-docs-updates/docs/docs/guides/remote-access.md and https://github.com/ckuyehar/immich/blob/ckuyehar-docs-updates/docs/docs/administration/reverse-proxy-tls.md

please note: this doesn't resolve the issue - this merely works around the existing capabilities of Immich today

[ckuyehar]

#15230 - tracking related issues