Android App issues with self signed certificate

[Ad-Blokker]

Describe the bug

Setup:

• Jellyfin server on Windows Server
• Configured HTTPS with self-signed certificate made by OpenSSL

On desktop it gives the certificate warning but still connects to the server. When doing the same on mobile it just doesn't want to connect. I have installed the root CA cert for the self-signed certificate on my phone.

The logs on android show that the HTTPs connection drops the following error: https://192.168.178.2:8920/Failure(org.jellyfin.sdk.api.client.exception.ApiClientException: Unknown error occurred!)

Logs

09-12 01:41:04.935  4119  4119 I ConnectFragment: checkServerUrlAndConnection 192.168.xxx.xxx
09-12 01:41:04.937  4119  4119 I ConnectFragment: Address candidates are [https://192.168.xxx.xxx, https://192.168.xxx.xxx:8096, https://192.168.xxx.xxx:8920, http://192.168.xxx.xxx, http://192.168.xxx.xxx:8096]

09-12 01:41:04.961  4119 20797 D TrafficStats: tagSocket(102) with statsTag=0xffffffff, statsUid=-1

09-12 01:41:09.958  4119 20803 D TrafficStats: tagSocket(123) with statsTag=0xffffffff, statsUid=-1
09-12 01:41:09.987  4119 20809 D TrafficStats: tagSocket(123) with statsTag=0xffffffff, statsUid=-1

09-12 01:41:10.012  4119 20814 D TrafficStats: tagSocket(90) with statsTag=0xffffffff, statsUid=-1

09-12 01:41:10.028  4119 20822 D TrafficStats: tagSocket(122) with statsTag=0xffffffff, statsUid=-1

09-12 01:41:10.036  4119  4119 I ConnectFragment: No valid servers found, invalid candidates were: https://192.168.xxx.xxx/Failure(org.jellyfin.sdk.api.client.exception.TimeoutException: HTTP request timed out), https://192.168.xxx.xxx:8096/Failure(org.jellyfin.sdk.api.client.exception.ApiClientException: Unknown error occurred!), https://192.168.xxx.xxx:8920/Failure(org.jellyfin.sdk.api.client.exception.ApiClientException: Unknown error occurred!), http://192.168.xxx.xxx/Failure(org.jellyfin.sdk.api.client.exception.ApiClientException: Unknown error occurred!), http://192.168.xxx.xxx:8096/Failure(org.jellyfin.sdk.api.client.exception.ApiClientException: Unknown error occurred!)
09-12 01:41:10.048  4119  4119 W RemoteInputConnectionImpl: getExtractedText on inactive InputConnection
09-12 01:41:10.064  4119  4119 W RemoteInputConnectionImpl: getTextBeforeCursor on inactive InputConnection

Application version

2.4.4

Where did you install the app from?

Google Play

Device information

Google Pixel 4a

Android version

Android 13

Jellyfin server version

10.8.4

Which video player implementations does this bug apply to?

N/A

[Ad-Blokker]

Possibly related to: #742

[Maxr1998]

We cannot handle certificate warnings in the app, but do you still get one if you install the certificate on your desktop? Also, can you connect on the mobile browser? The current error message unfortunately isn't very helpful, but iirc the api client was improved in that regard. We may need to push another update soon.

[Ad-Blokker]

@Maxr1998 Thank you for the response!

I can connect via the mobile browser but still get a certificate warning. Which is strange because the CA/issuer of the certificate is a trusted added CA on my phone. I just want to toss it up to android being weird with trusting customer CA's or it could be user error on my part.

On my desktop it is hit or mis with the custom installed CA cert. But every other platform just lets you ignore certificate warnings and continue.

It would be very nice if certificate warnings could be handled in the app.

[pmsobrado]

I'm on the same boat, I created my self signed certificate as instructed here in other issues but the app won't connect. I'm running Jellyfin from a Docker but it shouldn't make a difference, right?

EDIT:

The error is: OS Error: CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:393)

I'm on Android 10 and MIUI 12.

[jellyfin-bot]

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.

If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or master branch, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.

This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.

[Rh9no]

A setting like the desktop media player (ignoreSSLErrors) that can be configured without root could be useful.

[sv1sjp]

I am facing the same problem, I think it should be considered adding a warning notification in case that a user tries to connect to a server with a self-signed certificate and then be able to connect normally (as it happens in nextcloud application). Personally I set up the server for my own usage internally,

[nielsvanvelzen]

We're working on SSL error reporting in our SDK which should provide more helpful messages for connection issues. We will never add the option to ignore SSL errors, if you want to use a self-signed certificate you can add it to the trust store of the operating system.

[serialpotato]

How to add self signed cert to Android? I am running in circles about failure of Jellyfin android for simply detecting my local installation.

[jellyfin-bot]

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.

If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or master branch, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.

This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.

[serialpotato]

Any update?

[Likogann]

I'm having the same issue. The android jellyfin client refuses to accept self-signed ssl certificates. Otherwise it works fine.

It seems crazy to me that the app wouldn't have a button to Ignore & Accept ssl errors like all browsers do... especially considering the whole premise of jellyfin is self hosting, where many users will se self-signed certificates.

Especially since many people don't have a domain name to even generate an SSL certificate for. You can't get a valid SSL certificate for your home IP address.

Workaround As a temporary workaround, I've been using Chromium's Add to Homescreen feature. It's basically a web wrapper pretending to be a native app. It's not perfect, but it works. Many other android browsers have this feature too. I don't know if casting works with this workaround.

[AdamantUnstable]

I'm having the same issue, Android 14, latest version of the app and latest version of the linux-server Jellyfin docker container. I don't think this is quite as simple as just allowing the user to override certificate errors either, as I have correctly installed the CA certificate (I'm using a self signed CA rather than a direct self signed cert) in my phone and Chrome will happily connect to the Jellyfin instance without any SSL errors using that certificate, but the app still pretends that the server doesn't exist unless I use plain HTTP. The app doesn't seem to be using the OS certificate chain.

[AdamantUnstable]

How to add self signed cert to Android? I am running in circles about failure of Jellyfin android for simply detecting my local installation.

You can install additional trusted SSL certificates in Android in the settings, it varies slightly by different manufacturer launchers but you can usually search for certificates in the Settings app and find a setting like CA Certificates, which will give you a scary warning then allow you to install a certificate. If I understand correctly you should install it as a CA certificate even when it's a self signed cert, but double check that one as I use a slightly different setup. For what it's worth, not all apps use the OS store either (Firefox Mobile uses its own CA cert chain, so you need to install the cert there as well).

[jellyfin-bot]

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.

If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or master branch, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.

This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.