Jellyfin App cannot connect to anything ever.

[Xerxes4242]

I have a very basic setup. Jellyfin runs on a dedicated Debian VM. It works great.
I do not have any fancy footwork in my networking. Just the built in Jellyfin defaults. I've enabled HTTPS with my internal CA, however I do not believe this is relevant.

On any web-browser, on any relevant device, jellyfin is accessible via http or https. Using the IP or the URL. It all works. (SSL too)
Using the APP, however, I have hit and mostly miss results.
Android Pixel 7 Pro
  App version 2.6.0
  Works. It just works. (SSL too)
Google Pixel Slate
  App version 2.6.0
  It does not. It "tries candidates" but will not connect.
  I even force stopped, cleared cache+storage, uninstalled, rebooted, reinstalled, and then tried the demo server first.
  It does not connect to my own jellyfin, with IP or URL, with https or http.
Wife's iPhone
  App Version: Installed from Apple store, wife not present.
  Same as the slate. It just won't connect.
Wife's iPad
  Same as iPhone.

I've tried disabling SSL completely to no avail.
The CA is trusted on all devices, and I'd like to stress, even if I disable this, there is no change.
Any device can also connect just fine in the browser with no issues.
This DOES work on at least one android device.

Finally, there is never anything in the logs about the failed connections.
I logged the connections in my firewall, and can confirm that the affected devices are sending traffic to the server, but nothing in the jellyfin logs.

[TheDreadPirate]

Are you restricting which TLS protocols you are allowing? Perhaps TLS 1.3 only? Are you using a reverse proxy?

[Xerxes4242]

Thanks for the quick reply Dread.
If there is a setting within jellyfin to restrict TLS versioning, I do not see it
A quick nmap scan shows that the default behavior supports TLSv1.2 and TLSv1.3
I am not using a reverse proxy. I connect directly to the machine running jellyfin.
When I disable SSL/TLS within jellyfin, there is no change in behaviour.


PORT    STATE SERVICE
8920/tcp open  unknown
| ssl-enum-ciphers:
|  TLSv1.2:
|    ciphers:
|      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|    compressors:
|      NULL
|    cipher preference: server
|    warnings:
|      Key exchange (ecdh_x25519) of lower strength than certificate key
|  TLSv1.3:
|    ciphers:
|      TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|      TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|      TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|    cipher preference: server
|_  least strength: A

[TheDreadPirate]

Ok. Jellyfin does NOT have any way to configure https, which is why we recommend using a reverse proxy for https.

Can you share your network.xml file?

/etc/jellyfin/network.xml

[Xerxes4242]

Sure,
Here's the content of the network.xml file with minor redaction. In the jellyfin admin gui, I've used "enable HTTPS" to set up https and it works just fine for browsers and my Android phone.

<?xml version="1.0" encoding="utf-8"?>
<NetworkConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<RequireHttps>false</RequireHttps>
<CertificatePath>/etc/jellyfin/certs/[redacted].p12</CertificatePath>
<BaseUrl />
<PublicHttpsPort>8920</PublicHttpsPort>
<HttpServerPortNumber>8096</HttpServerPortNumber>
<HttpsPortNumber>8920</HttpsPortNumber>
<EnableHttps>true</EnableHttps>
<PublicPort>8096</PublicPort>
<UPnPCreateHttpPortMap>false</UPnPCreateHttpPortMap>
<UDPPortRange />
<EnableIPV6>false</EnableIPV6>
<EnableIPV4>true</EnableIPV4>
<EnableSSDPTracing>false</EnableSSDPTracing>
<SSDPTracingFilter />
<UDPSendCount>2</UDPSendCount>
<UDPSendDelay>100</UDPSendDelay>
<IgnoreVirtualInterfaces>true</IgnoreVirtualInterfaces>
<VirtualInterfaceNames>vEthernet*</VirtualInterfaceNames>
<GatewayMonitorPeriod>60</GatewayMonitorPeriod>
<TrustAllIP6Interfaces>false</TrustAllIP6Interfaces>
<HDHomerunPortRange />
<PublishedServerUriBySubnet />
<AutoDiscoveryTracing>false</AutoDiscoveryTracing>
<AutoDiscovery>true</AutoDiscovery>
<RemoteIPFilter />
<IsRemoteIPFilterBlacklist>false</IsRemoteIPFilterBlacklist>
<EnableUPnP>false</EnableUPnP>
<EnableRemoteAccess>true</EnableRemoteAccess>
<LocalNetworkSubnets>
<string>10.0.0.0/8</string>
<string>100.64.0.0/10</string>
</LocalNetworkSubnets>
<LocalNetworkAddresses />
<KnownProxies />
<EnablePublishedServerUriByRequest>false</EnablePublishedServerUriByRequest>
</NetworkConfiguration>

[TheDreadPirate]

Does your P12 file include the full trust chain?

[Xerxes4242]

I "solved" this problem, but what I did should not have made any difference, and any quick google search shows that these same symptoms show up for many, many people with the app.
I'd like to keep troubleshooting to help understand WHY this issue occurs.

Original situation:
https is enabled, http does not work for certain clients.
Disable https, http still doesn't work for certain clients.

What "fixed" it:
disable https. completely restart jellyfin.service.
connect problem clients on http. (no ssl). It works this time! (for me, on two devices)
re-enable https. completely restart jellyfin.service.

Now the devices which previously could not connect with http, can connect with http.
Devices already using https may continue using https.
Enabling https without requiring https should not affect http connections.
<EnableHttps>true</EnableHttps>
<RequireHttps>false</RequireHttps>

Ideally, all devices could use https, but if that's not the scope of the jellyfin app (reverse proxy and all that) I understand.

As for your question Dread, I do not know certs well enough to answer that, which is why I was so willing to just turn off https for troubleshooting.
I use pfsense as my trusted CA, and generate a server cert. I then download that p12 and use it for the jellyfin server.
For some android apps and ALL browsers, this is sufficient.

Inside the chain.pem, I have 2 "cert" sections, so
-----BEGIN CERTIFICATE-----
jhkdsjakhdskjhdgjhsgjkhfdsajhk
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
jhfdajhkfdsfdskjhlfdsjhkfdsjkhjhfdsak
-----END CERTIFICATE-----

the .pem has only one such section.