#Debugging SSL in the Android app

Hello,

I'm fairly certain I have an error in my network setup, but would appreciate suggestions for getting more information out of the Immich Android app if possible.

The Android app is on 2.4.1 build.3030, server is 2.5.0.

The short of what I'm looking for:
In the Android app I'm getting 'Invalid SSL certificate for <my public url>:443'. I'd like to get more details on what is wrong with the certificate if possible. Am I getting one at all, is it broken or am I getting the wrong one? I have enabled debugging in the advanced settings but I don't see more than that.
I can reach Immich just fine via Firefox with no complaints about the certificate.

The longer version:
(You will be able to tell this is all a bit convoluted, remember - I'm just asking how to get more SSL information from the app. I think it is unlikely that the fault is in Immich.)
I'm experimenting with IPv6 only networking. I only get this problem on the Android app when connecting through a IPv6 only network. The server is exposed via an nginx proxy on both IPv4 and IPv6, with IPv4 being used between nginx and Immich.
In my firewall logs I can see the connection coming in to nginx on IPv6 and being forwarded to Immich on IPv4. (NAT64 and DNS64 is available on the client network as well, so in case the app used the A-record and attempted to connect via IPv4 that should work as well since Android runs CLAT. As far as I can tell it is trying directly over IPv6 though.)

Thank you

:wave: Hey @tidal tulip,

Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich .

References

• Container Logs: docker compose logs docs
• Container Status: docker ps -a docs
• Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
• Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA

Checklist

I have...

1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :blue_square: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: uploaded the relevant information (see below).
7. :blue_square: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable

(an item can be marked as "complete" by reacting with the appropriate number)

Information

In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:

• Your docker-compose.yml and .env files.
• Logs from all the containers and their status (see above).
• All the troubleshooting steps you've tried so far.
• Any recent changes you've made to Immich or your system.
• Details about your system (both software/OS and hardware).
• Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
• The version of the Immich server, mobile app, and other relevant pieces.
• Any other information that you think might be relevant.

Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)

If this ticket can be closed you can use the /close command, and re-open it later if needed.

The easiest is if you're able to share your domain

Likely your reverse proxy isn't sending the full chain

I could DM it to you?

Sure

Sent

~ ❯ openssl s_client snip:443                                     
Connecting to snip
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E7
verify return:1
depth=0 CN=snip
verify return:1
---
Certificate chain
 0 s:CN=snip
   i:C=US, O=Let's Encrypt, CN=E7
   a:PKEY: EC, (secp384r1); sigalg: ecdsa-with-SHA384
   v:NotBefore: Dec  9 15:29:46 2025 GMT; NotAfter: Mar  9 15:29:45 2026 GMT
 1 s:C=US, O=Let's Encrypt, CN=E7
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---

It's only sending the leaf & root; there's an intermediate cert in between that also needs to be sent

You'll need to fix that in your reverse proxy's config

Wow, thanks. I'll look into it. 👍

Okay, I'm back and slightly confused. The result of the openssl command is the same no matter where I connect from. The app accepts it happily as long as I'm not connecting from the IPv6 only network.
The nginx config points to the fullchain file from certbot (I'm using nginx proxy manager) and that file looks the same.
Also, you say it's only sending leaf & root which doesn't seem true. The chain is ISRG Root X1 -> Let's Encrypt -> My domain. The chain in the response contains the last two, so that'd be intermediary (Let's encrypt) and leaf (my domain). The root part is supposed to be in the clients store of trusted CA's already, no?

Also, again: is there any way to debug what the android app is actually complaining about in more detail?

Basically got the same from here, including the root cert is unusual, including the intermediaries (which is what was in the openssl response you pasted) is the normal way: https://github.com/certbot/certbot/issues/10189