Trust Self Signed Certificates with Immich - OAuth Setup

[seifer44]

I was setting up Authentik to function as an OAuth2/OpenID provider for Immich, but ran into a problem where I'd get the following, somewhat vague error.

[Nest] 17  - 05/25/2025, 11:32:53 AM   ERROR [Api:OAuthRepository~sgxduz9o] Error in OAuth discovery: TypeError: fetch failed
[Nest] 17  - 05/25/2025, 11:32:53 AM   ERROR [Api:OAuthRepository~sgxduz9o] TypeError: fetch failed
    at node:internal/deps/undici/undici:13502:13
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async performDiscovery (file:///usr/src/app/node_modules/openid-client/build/index.js:266:16)
    at async discovery (file:///usr/src/app/node_modules/openid-client/build/index.js:243:16)
    at async OAuthRepository.getClient (/usr/src/app/dist/repositories/oauth.repository.js:85:20)
    at async OAuthRepository.authorize (/usr/src/app/dist/repositories/oauth.repository.js:25:24)
    at async AuthService.authorize (/usr/src/app/dist/services/auth.service.js:165:16)
    at async OAuthController.startOAuth (/usr/src/app/dist/controllers/oauth.controller.js:36:46)

This is despite the fact that I could curl my Authentik server just fine at the ISSUER_URL endpoint I have saved in Immich. However, if I pointed at the HTTP endpoint for Authentik instead, OAuth worked just fine.

Turns out that Immich was having issues with the self-signed CA I used to issue the HTTPS cert for Authentik, which is using a reverse proxy I set up with NGINX. It would work at the HTTP endpoint, because I'd point directly to port 9000, which is what the Authentik container exposes by default.

Fortunately, this is a relatively easy fix for Immich!

1. On your system running Immich in Docker, place your self-signed CA into a folder that has read permissions for your Immich container. In my case, the CA file is located in the directory /etc/pki/ca-trust/source/anchors/
   a. man page for update-ca-trust.
2. Edit your docker-compose.yml file, and for the immich-server service, and add a mount to the /certs directory. In my case, I point directly to where my custom CA files are at on my Enterprise Linux distribution (my case Rocky Linux). Don't add the Z flag if you don't have SELinux on your system.

volumes:
  /etc/pki/ca-trust/source/anchors/:/certs:roZ

4. Add an environment block and point to the specific CA file that issued your OAuth server's HTTPS cert.

    environment:
      NODE_EXTRA_CA_CERTS: /certs/CAFILENAME.pem

5. Run docker compose down && docker compose up -d, and try logging in via OAuth again. Fixed!

Here's the full reference for the immich-server service:

name: immich

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends:
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    volumes:
      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
      - /etc/pki/ca-trust/source/anchors/:/certs:roZ
    env_file:
      - .env
    environment:
      NODE_EXTRA_CA_CERTS: /certs/CAFILENAME.pem
    ports:
      - '2283:2283'
    depends_on:
      - redis
      - database
    restart: always
    healthcheck:
      disable: false

...

[zamu-flowerpot]

To get this to work correctly, I had to also configure a DNS for the immich_server service so that the oauth2 endpoint both the certificate and the immich service itself knew where to go to talk to the OAuth service.
This is only needed if your OAuth service is not publicly available and if your default DNS server for the docker host does not resolve your OAuth service (which can happen if you have multi-horizon DNS configurations).

services:
    immich-server:
        ...
        dns:
            - ${DNS_SERVER}
        ...

[seifer44]

Hey good catch! This hadn't crossed my mind, as I have internal, private DNS running in my network.

[PetitPrinc3]

Hi,

Thank you a lot for this, but despite doing precisely what you said, I'm still having the same error :

[Nest] 18  - 09/11/2025, 4:04:37 PM   ERROR [Api:OAuthRepository~z9a2dqei] Error in OAuth discovery: TypeError: fetch failed
[Nest] 18  - 09/11/2025, 4:04:37 PM   ERROR [Api:OAuthRepository~z9a2dqei] TypeError: fetch failed
    at node:internal/deps/undici/undici:13510:13
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async performDiscovery (file:///usr/src/app/server/node_modules/.pnpm/[email protected]/node_modules/openid-client/build/index.js:266:16)
    at async discovery (file:///usr/src/app/server/node_modules/.pnpm/[email protected]/node_modules/openid-client/build/index.js:243:16)
    at async OAuthRepository.getClient (/usr/src/app/server/dist/repositories/oauth.repository.js:85:20)
    at async OAuthRepository.authorize (/usr/src/app/server/dist/repositories/oauth.repository.js:25:24)
    at async AuthService.authorize (/usr/src/app/server/dist/services/auth.service.js:169:16)
    at async OAuthController.startOAuth (/usr/src/app/server/dist/controllers/oauth.controller.js:36:46)

To provide you with some context, everything is running on a proxmox host with two interfaces (vmbr0 : 192.168.1.20/24 & vmbr1 : 10.10.10.254/24)

I have one domain controller VM (samba) at 10.10.10.1 and I have configured authelia (at 10.10.10.4:9091) to authenticate against the ldap. It works fine. I have enabled TLS using a trusted chain with the domain's CA certificate and authelia'CA certificate and key.

I have an NGINX Reverse Proxy Manager at 192.168.1.X and 10.10.10.253. I have forwarded the authelia and immich hosts and I can access the both of them. However, I can't get immich to work with authelia.

• I have set SSL up for authelia in NPM using the same certificates as before.
• I can reach authelia from the immich-server container :

root@photos:/immich-app# docker exec -i immich_server sh
node -e "require('https').get('https://auth.home.lan:9091', res => console.log(res.statusCode))"
200

I believe that the issue occurs because while my DC (which I set as the DNS in the docker-compose.yaml) resolves auth.home.lan at 10.10.10.4, NPM redirects auth.home.lan at 10.10.10.4:9091 directly.

However, I do not know how to fix this.

I can share both my Authelia and Immich configs if need be.

I don't know what to try next... Any chance you could help ?

Thanks !

[PetitPrinc3]

Alright, I found a way to fix it.

Instead of having a DNS_SERVER set inside the docker-compose.yml file, it needed a simple extra_host instead.

For anyone having the same issue, simply add the following config to your yaml :

services:
  immich-server:
    ...
    extra_hosts:
        - "<authelia_hostname>:<NGINX Proxy Manager listening IP>"
    ...

[seifer44]

Do you have internal DNS available to your 192.168.1.0/24(?) network and your 10.10.10.0/24? I'd also check that DHCP is distributing DNS as expected, and that your networks can access your private DNS server(s) on port 53.

Patching through extra_hosts is a lot easier of a fix though 😛