Android App: Self Signed certificate option missing under Advanced settings.

[AlbertDaYoungYT]

I have searched the existing issues, both open and closed, to make sure this is not a duplicate report.

• Yes

The bug

When trying to connect to my Immich server this afternoon, i found that the option to allow self signed certificates is not there anymore, and have defaulted to rejecting my certificate. Connecting in the web browser works perfectly, both on Windows and Android.

The OS that Immich Server is running on

Debian 13 - Proxmox LXC Container (Installed through Proxmox VE Helper Scripts)

Version of Immich Server

v2.5.6

Version of Immich Mobile App

v2.6.1

Platform with the issue

• Server
• Web
• Mobile

Device make and model

Samsung S22 Ultra - Android 16

Your docker-compose.yml content

NOT PRESENT

Your .env content

TZ=Europe/Copenhagen
IMMICH_VERSION=release
NODE_ENV=production
IMMICH_ALLOW_SETUP=true

DB_HOSTNAME=127.0.0.1
DB_USERNAME=immich
DB_PASSWORD=%REDACTED%
DB_DATABASE_NAME=immich
DB_VECTOR_EXTENSION=vectorchord

REDIS_HOSTNAME=127.0.0.1
IMMICH_MACHINE_LEARNING_URL=http://127.0.0.1:3003
MACHINE_LEARNING_CACHE_FOLDER=/opt/immich/cache
## - For OpenVINO only - uncomment below to increase
## - inference speed while reducing accuracy
## - Default is FP32
# MACHINE_LEARNING_OPENVINO_PRECISION=FP16

IMMICH_MEDIA_LOCATION=/mnt/smb/

Reproduction steps

1. Open Android App
2. Enter my URL for Nginx reverse proxy to Immich (https://immich.node1.local)
3. Error message pops up "Server is not reachable"
   ...

Relevant log output

ApiException 400: HTTP connection failed: GET /server/ping (Inner exception: ClientException: javax.net.ssl.SSLPeerUnverifiedException: Hostname xn--immch-vsa.node1.local not verified:
    certificate: sha256/txGmPPrJoMIXZX/+8dBvSZDWD/al4J9mliZUy9wBO40=
    DN: CN=*.node1.local,O=HomeLab,L=Network,ST=Local,C=DK
    subjectAltNames: [], uri=https://xn--immch-vsa.node1.local/api/server/ping)

Additional information

if this is relevant, here is the Nginx config i use to proxy to Immich:

server {
    listen 443 ssl;
    server_name immich.node1.local;

    ssl_certificate /etc/nginx/ssl/certs/*.node1.local.crt;
    ssl_certificate_key /etc/nginx/ssl/private/*.node1.local.key;

    client_max_body_size 50000M;
    proxy_request_buffering off;
    proxy_read_timeout 600s;

    # This is for a custom error page i use.
    include /etc/nginx/snippets/error_pages.conf;

    location / {
        proxy_pass http://10.10.150.228:2283;
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        proxy_buffering off;
    }

    location = /.well-known/immich {
        proxy_pass http://10.10.150.228:2283;
    }
}

[alextran1502]

Self-signed certificates are now supported by default, so we don't need this toggle anymore. You need to go out to the login screen to import your certificate

[AlbertDaYoungYT]

Hello, i just imported the .pfx certificate after converting it from .crt and .key using openssl pkcs12 export. But i am still getting the same exact error, even after clearing app cache and data, then reimporting the certificate. And even after rebooting Android i still get hostname not verified errors in the app log.

Edit: Creating a PEM file in Termux and trying to connect with curl, is successfull with the installed certificate.

[mertalev]

You need to install the CA to the system store instead now.

[AlbertDaYoungYT]

I looked into the SSL certificates that i have been issued on my services, and i found that i was incorrectly creating certificates. Sorry for taking your time, and thank you for your help.

[jud3k]

I've also stepped upon this problem. When I'm clicking the "Import" button in advanced settings nothing happens. What's the solution to this? I've reinstalled the app twice and still nothing.

[jud3k]

What a champ you are man! Thank you very much, everything works fine now. Have a nice weekend, well almost.. Cheers!

[jud3k]

The ca cert don't work on Iphones. Is anyone know about this and how to solve it?

[mertalev]

General > About > Certificate Trust Settings > Enable Full Trust for Root Certificates

[asdfzerozero]

General > About > Certificate Trust Settings > Enable Full Trust for Root Certificates

this does not work, I shared why in thread below. iphone app is down hard as a result unfortunately with no way to bypass the cert issue

[jud3k]

@mertalev
It worked, thanks!

[paimonsoror]

Import button doesn't work for me. Running the 2.7.2 version of the android app.

[mertalev]

Are you trying to import a CA cert in the app? That won't work. It needs to be added to the system store.

[asdfzerozero]

I have a self-signed CA and an intermediate issuing the server cert, without buying a mobile device manager for my iphone I am unable to trust an intermediate cert. a release a week or two (or three?) appears to have blocked me from areconnecting in the app. my browsers all work great off the local store, but this causes a breaking change on my iphone setup. what can we do to allow the import of certs again?

(the root CA is actually already trusted unfortunately the full chain is not trusted so the phone considers it untrusted - I'm not looking to buy a MDM for my personal setup)

in other words, this is a breaking change, can we allow people to go under 'super advanced' settings to allow certificate imports into app?

[mertalev]

The app has never supported importing a CA. What it did have is an "Allow self-signed certificates" option, which meant it completely skipped validation. We have no intention of bringing that option back and the solution is to defer this management to the OS where it belongs.

[asdfzerozero]

The app has never supported importing a CA. What it did have is an "Allow self-signed certificates" option, which meant it completely skipped validation. We have no intention of bringing that option back and the solution is to defer this management to the OS where it belongs.

I stand corrected, this was only accessible once connected to a VPN... it appears I need to find a new way to support this app from iphone as the certificate structure I ahve issues from itnermediate signing CA. appreciate the info.