Jellyfin Android app ignores Android system certificate store, fails to connect to HTTPS server using self signed certificates

[AdamantUnstable]

Describe the bug

Android version 14, app version 2.5.3

Steps to reproduce
Host Jellyfin using a self made HTTPS certificate (in my case using my own CA).
Install the certificate on Android in the certificate store
Attempt to connect to the Jellyfin server in the app - app indicates connection failed
Attempt to connect to the same server in Chrome - connects successfully with no SSL errors reported

Expected behaviour: the app connects to the server.

This behaviour applies both when using inbuilt HTTPS support and when using a reverse proxy, and does not seem to involve the alternate server URI thing as plaintext HTTP connections through the same reverse proxy work correctly in the app.

Logs

No response

Application version

2.5.3

Where did you install the app from?

Google Play

Device information

Google Pixel Fold

Android version

Android 14

Jellyfin server version

10.8.13

Which video player implementations does this bug apply to?

• Web player (default)
• Integrated player (ExoPlayer)
• External player (VLC, mpv, MX Player)

[AdamantUnstable]

Just tested, 2.6.0 exhibits the same behaviour and also fails to connect with the same generic error message

[Maxr1998]

Self-signed CAs installed to the settings are supported by the app, so I'm not sure what's actually causing it in your case.
Could you upload some logs of your connection failure so that we can find the real reason? Make sure to redact any personal information before posting the logs.

[xssfox]

01-01 20:21:00.319  4847  4847 I ConnectionHelper: checkServerUrlAndConnection https://jellyfin.foxden
01-01 20:21:00.320  4847  4847 I ConnectionHelper: Address candidates are [https://jellyfin.foxden, https://jellyfin.foxden:8096, https://jellyfin.foxden:8920]
01-01 20:21:00.326  4847  6148 D TrafficStats: tagSocket(111) with statsTag=0xffffffff, statsUid=-1
01-01 20:21:00.326  4847  6147 D TrafficStats: tagSocket(116) with statsTag=0xffffffff, statsUid=-1
01-01 20:21:00.327  4847  6150 D TrafficStats: tagSocket(155) with statsTag=0xffffffff, statsUid=-1
01-01 20:21:00.342  4847  4847 I ConnectionHelper: No valid servers found, invalid candidates were: https://jellyfin.foxden/Failure(org.jellyfin.sdk.api.client.exception.SecureConnectionException: Unknown SSL error occurred), https://jellyfin.foxden:8096/Failure(org.jellyfin.sdk.api.client.exception.SecureConnectionException: Unknown SSL error occurred), https://jellyfin.foxden:8920/Failure(org.jellyfin.sdk.api.client.exception.TimeoutException: Connection failed)

I'm trying to use a custom private CA and I'm getting this error when trying to log in :(

[xssfox]

I'm going to hazard a guess that ktor using okhttp doesn't by default use system store ca root certs - which is why this exists : https://github.com/charleskorn/okhttp-system-keystore

[AdamantUnstable]

Self-signed CAs installed to the settings are supported by the app, so I'm not sure what's actually causing it in your case. Could you upload some logs of your connection failure so that we can find the real reason? Make sure to redact any personal information before posting the logs.

Sorry got busy with other things, which logs do you need specifically? I'll try and track them down and send them

[jamesmurphy746]

I think this is an issue that extends to the androidtv client too.. client stops automatically logging in.. 'server unavailable'.. solved by clearing data from android settings and re-entering credentials.

reolise tonight that my certificate renewed only a couple of days ago.. strong correlation.. [?]

[1024mb]

I am having the same issue, and in my case I have added the CA and the intermediate certificates to the system store using the magisk module, still it fails with

1709792832.731 10308 24902  4443 E chromium: [ERROR:ssl_client_socket_impl.cc(974)] handshake failed; returned -1, SSL error code 1, net_error -213
1709792832.738 10308 24902 24902 E JellyfinWebViewClient: Received SSL error: primary error: 5 certificate: Issued to: CN=REDACTED,O=REDACTED,L=REDACTED,ST=REDACTED,C=REDACTED;
1709792832.738 10308 24902 24902 E JellyfinWebViewClient: Issued by: CN=REDACTED,O=REDACTED,L=REDACTED,ST=REDACTED,C=REDACTED;
1709792832.738 10308 24902 24902 E JellyfinWebViewClient:  on URL: https://jellyfin.tld.xxx/

Android 14

[barbriqt]

Hello there,
I've had the same issue and found a solution that worked for me. It was in Bitwarden docs in "Using a self-signed Certificate" section. Apparently the "SAN" and config parts is what I've been missing. I also added the IP and DNS altnames just like @NovacX stated. Here is the command I used to generate the certificate.

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout example.key -out example.crt -subj "/CN=*.example.com" -reqexts SAN -extensions SAN -config <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:*.example.com,IP:12.12.12.12\nbasicConstraints=CA:true')) -subj "/C=US/ST=New York/L=New York/O=Company Name/OU=Bitwarden/CN=*.example.com"

[nunoaleixogoncalves]

Hello there, I've had the same issue and found a solution that worked for me. It was in Bitwarden docs in "Using a self-signed Certificate" section. Apparently the "SAN" and config parts is what I've been missing. I also added the IP and DNS altnames just like @NovacX stated. Here is the command I used to generate the certificate.

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout example.key -out example.crt -subj "/CN=*.example.com" -reqexts SAN -extensions SAN -config <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:*.example.com,IP:12.12.12.12\nbasicConstraints=CA:true')) -subj "/C=US/ST=New York/L=New York/O=Company Name/OU=Bitwarden/CN=*.example.com"

this worked for you ? i tried it and it as the same problem.

[barbriqt]

Yes it did... What is your setup like? Do you use a reverse proxy or put certificate directly into jellyfin.

[nunoaleixogoncalves]

Yes it did... What is your setup like? Do you use a reverse proxy or put certificate directly into jellyfin.

using traefik as a reverse proxy. i did the new certs with your command, updating just the local domain name, but jellyfin on my android tv's has the same problem as before.

Probably need to be on jellyfin config directly or on android tv.

[barbriqt]

Ohhhh yea I tried it on android tv last week and mine doesn't even have a feature for importing CA certificates so I put it off. Mind trying it on your phone?

I also use a reverse proxy... I don't think thats an issue.

[nunoaleixogoncalves]

Ohhhh yea I tried it on android tv last week and mine doesn't even have a feature for importing CA certificates so I put it off. Mind trying it on your phone?

I also use a reverse proxy... I don't think thats an issue.

the problem is the self signed cert for sure and probably because not being from trusted CA.

because its works in the browser (in the android tv's) and if i remove https and certs from the config it works fine in all clients.

the android app doest like untrusted CA's/ self signed certs...

already test on the phone with or without cert, does not work :(

[barbriqt]

To my understanding Android has its own certificate store which you can add CA certificates to. They should be recognised regardless of the app. For example when I added my self signed certificate to my phone's store I stopped getting insecure warnings when accessing jellyfin from browser and the native app started working.

Just to be on the same page, did you install the certificate in you client's certificate store?

[nunoaleixogoncalves]

yes.

i did restart the wifi and now it works on the app and in the browser without any warnings!

but not on the tv's probably have to add manually the cert in all clients.

and im not going to do that 😢

probably going for a let's encrypt solution or something.

for now im going to disabled https and enjoy some tv show in the bedroom.

thanks for the help tho! 👍

[xssfox]

Fyi, I think many of the people in this thread are having issues where the CA cert is installed in Android root store and jellyfin is reverse proxied using a different certificate signed either by the CA or an intermediate.

The CA and intermediate certs chain is provided by the reverse proxy and would otherwise work fine (eg browsing to the page via a browser works fine) however jellyfin app doesn't work.

Installing the server cert directly or even the immediate certificate isn't a great solution.

I've noticed an issue with another app (keyguard with bitwarden i think) where name constraint checks fail when the intermediate cert check fails (can't remember if this is because the intermediate is missing the name constraint check it if the failing because the name isn't in the intermediate). Not sure if this is related to the issue

[barbriqt]

So some apps recognise intermediate certificates and others don't? That would mean the way certificate is checked against the root store depends on the app. It kinda feels like a mess imo...

Also @nunoaleixogoncalves in no world would I buy a domain for letsencrypt just to use it LOCALLY with MY OWN server and clients. Its just so sad we are expected to do it that way. But thats just my take. Glad it worked for you!

[NikMAX2077]

Same problem here. I think it would be really helpful if there was a checkbox like "Allow self-signed certificate" on the login screen