Android apps can't connect on my server

[TheDreadPirate]

You're missing a lot of the standard nginx config for Jellyfin. Follow our guide.

https://jellyfin.org/docs/general/networking/nginx/

[Catter]

thx for the quick response.

finally i found the problem. i just specified the certificate and not the full chain.

changing the line

Code:

ssl_certificate  ../ssl/MY.TLD-crt.pem;

to:

Code:

ssl_certificate  ../ssl/MY.TLD-chain.pem;

fixed the issue.

[WoodroweBones]

Any chance you know how to do this with Caddy rather than NGINX?

[TheDreadPirate]

There shouldn't be any additional configuration required for Caddy. Caddy handles all of that automatically.

[leonerrante]

Hi to all, i just download the APK from play store and my laptops can connect to the server but android device Redmi Note 10 Pro Andriod 13, cant, the device is in the same network but cant connect!

[TheDreadPirate]

We'd need more details about your setup. Server version, server OS, are you using a reverse proxy, etc.

[raulx222]

There shouldn't be any additional configuration required for Caddy.  Caddy handles all of that automatically.

I'm running a server for about a year, most users are using the Jellyfin Media Player (Windows), Findroid (Android), Infuse (iOS) and there are no problems. But with Jellyfin for Android TV for some users it doesn't connect, when they input the host address, the app says it can't connect. From 3 friends that want to connect from TV, only one friend can connect via Android TV app, but other 2 friends can't connect to the server, one with Android TV and one with Amazon Fire TV stick.

The error on Amazon Fire TV stick is the following (it's also the same error for the other friend with Android TV):
   

But the same address works fine on other clients or in browser. I can't replicate this error myself since I don't own an Android TV. I tried emulating Android TV, but the app connects to the server without any issues.

Here is my Caddy config:

Code:

jellyfin.mydomain.com {
        reverse_proxy 192.168.3.85:8096
}

I did a SSL handshake simulation and looks good. Results:

Show Content

SSL handshake simulation
Handshake Simulation
Android 4.4.2 EC 256 (SHA384)  TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Android 5.0.0 EC 256 (SHA384)  TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Android 6.0 EC 256 (SHA384)  TLS 1.2 > http/1.1  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Android 7.0 EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
Android 8.0 EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
Android 8.1 -  TLS 1.3 TLS_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
Android 9.0 -  TLS 1.3 TLS_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
BingPreview Jan 2015 EC 256 (SHA384)  TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Chrome 49 / XP SP3 Server sent fatal alert: handshake_failure
Chrome 69 / Win 7  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
Chrome 70 / Win 10 -  TLS 1.3 TLS_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
Chrome 80 / Win 10  R -  TLS 1.3 TLS_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
Firefox 31.3.0 ESR / Win 7 EC 256 (SHA384)  TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Firefox 47 / Win 7  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  ECDH secp256r1  FS
Firefox 49 / XP SP3 EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  ECDH secp256r1  FS
Firefox 62 / Win 7  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
Firefox 73 / Win 10  R -  TLS 1.3 TLS_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
Googlebot Feb 2018 EC 256 (SHA384)  TLS 1.2 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
IE 11 / Win 7  R EC 256 (SHA384)  TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
IE 11 / Win 8.1  R EC 256 (SHA384)  TLS 1.2 > http/1.1  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
IE 11 / Win Phone 8.1  R EC 256 (SHA384)  TLS 1.2 > http/1.1  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
IE 11 / Win Phone 8.1 Update  R EC 256 (SHA384)  TLS 1.2 > http/1.1  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
IE 11 / Win 10  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Edge 15 / Win 10  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH x25519  FS
Edge 16 / Win 10  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH x25519  FS
Edge 18 / Win 10  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH x25519  FS
Edge 13 / Win Phone 10  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Java 8u161 EC 256 (SHA384)  TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Java 11.0.3 -  TLS 1.3 TLS_AES_128_GCM_SHA256  ECDH secp256r1  FS
Java 12.0.1 -  TLS 1.3 TLS_CHACHA20_POLY1305_SHA256  ECDH secp256r1  FS
OpenSSL 1.0.1l  R EC 256 (SHA384)  TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
OpenSSL 1.0.2s  R EC 256 (SHA384)  TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
OpenSSL 1.1.0k  R EC 256 (SHA384)  TLS 1.2 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
OpenSSL 1.1.1c  R -  TLS 1.3 TLS_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
Safari 6 / iOS 6.0.1 Server sent fatal alert: handshake_failure
Safari 7 / iOS 7.1  R Server sent fatal alert: handshake_failure
Safari 7 / OS X 10.9  R Server sent fatal alert: handshake_failure
Safari 8 / iOS 8.4  R Server sent fatal alert: handshake_failure
Safari 8 / OS X 10.10  R Server sent fatal alert: handshake_failure
Safari 9 / iOS 9  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Safari 9 / OS X 10.11  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Safari 10 / iOS 10  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Safari 10 / OS X 10.12  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Safari 12.1.2 / MacOS 10.14.6 Beta  R -  TLS 1.3 TLS_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
Safari 12.1.1 / iOS 12.3.1  R -  TLS 1.3 TLS_CHACHA20_POLY1305_SHA256  ECDH x25519  FS
Apple ATS 9 / iOS 9  R EC 256 (SHA384)  TLS 1.2 > h2  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
Yahoo Slurp Jan 2015 EC 256 (SHA384)  TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS
YandexBot Jan 2015 EC 256 (SHA384)  TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  ECDH secp256r1  FS

I don't know how to debug this. What's the reverse proxy setup for the demo.jellyfin.org site? That one works on all TVs, it is possible to achieve the same setup with Caddy? Or the Android TV APK has some certificates baked in to allow the demo site to work properly?
Any help is appreciated. Thanks!

[TheDreadPirate]

I'm wondering if your clients don't trust the one of the CAs from Let's Encrypt. The intermediate CA in my cert is has a validity date starting earlier this year. If your Android TV clients haven't received any OS updates in a while they may not have that CA in their trust store. And this would require that your proxy offers the full chain.

Code:

Validity
            Not Before: Mar 13 00:00:00 2024 GMT
            Not After : Mar 12 23:59:59 2027 GMT
        Subject: C = US, O = Let's Encrypt, CN = E6

In Nginx (my proxy) it is possible to offer both the chain.pem and the fullchain.pem. Other users with this issue with their ATV clients were able to resolve the problem by configuring their apache or nginx proxy to offer both chains.

What I'm reading seems to indicate that Caddy does not present the chain cert that includes the root, which is also the case for Nginx and Apache, by default. But I'm having trouble finding documentation for configuring Caddy to offer the fullchain.

[raulx222]

I'm wondering if your clients don't trust the one of the CAs from Let's Encrypt.  The intermediate CA in my cert is has a validity date starting earlier this year.  If your Android TV clients haven't received any OS updates in a while they may not have that CA in their trust store.  And this would require that your proxy offers the full chain.

Code:

        Validity
            Not Before: Mar 13 00:00:00 2024 GMT
            Not After : Mar 12 23:59:59 2027 GMT
        Subject: C = US, O = Let's Encrypt, CN = E6

In Nginx (my proxy) it is possible to offer both the chain.pem and the fullchain.pem.  Other users with this issue with their ATV clients were able to resolve the problem by configuring their apache or nginx proxy to offer both chains.
What I'm reading seems to indicate that Caddy does not present the chain cert that includes the root, which is also the case for Nginx and Apache, by default.  But I'm having trouble finding documentation for configuring Caddy to offer the fullchain.

It is possible from Caddy to serve my own .pem file but the problem is that for now everything is done automatically, my caddy script is minimal, I don't know where to get from or how to prepare the .pem file myself.

Edit:
I was wondering why the demo.jellyfin.org/stable works on all ATVs that my server has problem with. And I inspected the SSL and the demo site also has only 2 certs (intermediate and leaf) and still work. Also the demo site has certificate from LetsEncrypt issued by ISRG Root X1 which is the same in my server. The only difference that i found is that the demo site has RSA certificate, I forced RSA on my server and still doesn't work (i checked with SSL inspector site and it confirms that is RSA).

I don't know what to do further... If you want I can PM you my server address so you can check if you see other differences between certificates on my server and the demo one.