Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mobile App Client certificate Invalid SSL certificate #16196

Closed
1 of 3 tasks
AdriDevelopsThings opened this issue Feb 18, 2025 · 1 comment
Closed
1 of 3 tasks

Mobile App Client certificate Invalid SSL certificate #16196

AdriDevelopsThings opened this issue Feb 18, 2025 · 1 comment

Comments

@AdriDevelopsThings
Copy link

The bug

I'm trying to use the client certificate and it worked for like two months but it stopped working. The app says "Invalid SSL certificate for DOMAIN:443" from "HttpSSLCertOverride". But the certificate is right and opening the url in safari (with an imported client certificate) works.

The OS that Immich Server is running on

Ubuntu 22.04

Version of Immich Server

v1.126.1

Version of Immich Mobile App

v1.126.1

Platform with the issue

  • Server
  • Web
  • Mobile

Your docker-compose.yml content

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    labels:
      - traefik.enable=true
      - traefik.http.routers.immich.rule=Host(`HOST`)
      - traefik.http.routers.immich.tls.options=client_certificate@file
      - traefik.http.routers.immich.tls.certResolver=letsencrypt
      - traefik.http.routers.immich-share.rule=Host(`SHARE_HOST`) && Method(`GET`) && (PathPrefix(`/share`) || PathPrefix(`/_app`) || PathPrefix(`/api/shared-links/me`) || PathPrefix(`/api/server`) || PathPrefix(`/api/assets`))
    depends_on:
      - redis
      - database
    restart: always
    networks:
      - default
      - traefik

  immich-machine-learning:
    container_name: immich_machine_learning
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    volumes:
      - model-cache:/cache
    env_file:
      - .env
    restart: always

  redis:
    container_name: immich_redis
    image: registry.hub.docker.com/library/redis:6.2-alpine@sha256:84882e87b54734154586e5f8abd4dce69fe7311315e2fc6d67c29614c8de2672
    restart: always

  database:
    container_name: immich_postgres
    image: registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
    volumes:
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    restart: always

volumes:
  model-cache:

networks:
  traefik:
    name: traefik
    external: true

Your .env content

UPLOAD_LOCATION=<UPLOAD_LOCATION>
IMMICH_VERSION=release
DB_PASSWORD=*******
DB_HOSTNAME=immich_postgres
DB_USERNAME=postgres
DB_DATABASE_NAME=immich
DB_DATA_LOCATION=./postgres
REDIS_HOSTNAME=immich_redis

Reproduction steps

  1. Require a client certificate for connecting with your immich server
  2. Import the client certificate file in the mobile app
  3. Try to connect to the server

Relevant log output

2025-02-18 17:38:06.437276 | SEVERE   | ApiService           | Error while checking server availability | ApiException 400: TLS/SSL communication failed: GET /server/ping (Inner exception: HandshakeException: Handshake error in client (OS Error: 
        CERTIFICATE_VERIFY_FAILED: application verification failure(handshake.cc:393)))

#0      _SecureFilterImpl._handshake (dart:io-patch/secure_socket_patch.dart:99)
#1      _SecureFilterImpl.handshake (dart:io-patch/secure_socket_patch.dart:143)
#2      _RawSecureSocket._secureHandshake (dart:io/secure_socket.dart:920)
#3      _RawSecureSocket._secureHandshake (dart:io/secure_socket.dart:923)
<asynchronous suspension>
#4      _RawSecureSocket._tryFilter (dart:io/secure_socket.dart:1049)
<asynchronous suspension>
 |
#0      ApiClient.invokeAPI (package:openapi/api_client.dart:111)
<asynchronous suspension>
#1      ServerApi.pingServer (package:openapi/api/server_api.dart:492)
<asynchronous suspension>
#2      Future.timeout.<anonymous closure> (dart:async/future_impl.dart:963)
<asynchronous suspension>
#3      ApiService._isEndpointAvailable (package:immich_mobile/services/api.service.dart:107)
<asynchronous suspension>
#4      ApiService.resolveEndpoint (package:immich_mobile/services/api.service.dart:88)
<asynchronous suspension>
#5      ApiService.resolveAndSetEndpoint (package:immich_mobile/services/api.service.dart:70)
<asynchronous suspension>
#6      AuthService.validateServerUrl (package:immich_mobile/services/auth.service.dart:51)
<asynchronous suspension>
#7      LoginForm.build.getServerAuthSettings (package:immich_mobile/widgets/forms/login/login_form.dart:100)
<asynchronous suspension>

2025-02-18 17:38:06.436167 | SEVERE   | HttpSSLCertOverride  | Invalid SSL certificate for <DOMAIN>:443 |
2025-02-18 17:37:49.730190 | INFO     | HttpSSLCertOverride  | Setting client certificate |

Additional information

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bo0tzz @AdriDevelopsThings