I have the exact same problem, didged always-on VPN and started using mTLS a while ago and now the wifey started complaining that she's constantly unable to download pictures out of my shared album.
Testing her claim I was also unable to download cloud-only pictures to my phone (now running 1.123.0, updated from 1.121.0 to see if that fixed the problem but it didnt)..
After switching the app the the local-lan adres downloads worked fine again, setting it back on mTLS settings downloads where unavaileble again with the error "Download failed" and absolutely zero logs about the faillure.

Edit:
Im running mTLS directly on my Fortigate firewall with my own private PKI.

Edit 2:
I know its not related to this issue but just to get it out there once more I'd also really love to see a "dowload selected" option within the app..
Downloading multiple images is a PITA atm..

I think this is the issue I'm currently facing.

I have nginx as a reverse proxy in the middle with a custom PKI, and apparently cannot download any file from the app nor can I stream a video that I don't locally have.

The nginx logs don't see anything being accessed from the app at all, not during a video stream request, nor when I try to download a file.

Web app works fine.

P.S. It's enough to just run a custom PKI, configuring client certificate is not necessary to trigger the issue.

I currently attribute my issue to the "ignore custom certificate errors" flag not being passed through.

Reconfiguring the proxy to allow http fixes this issue for me... until the issue is closed.

Reconfiguring the proxy to allow http

This seems like a bad idea. A better "workaround" would be using real WebPKI certificates.

I currently attribute my issue to the "ignore custom certificate errors" flag not being passed through.

That could be the case, my PKI is private as well.
Not planning on going with public PKI because the costs of managing it is just to much for me and LetsEncrypt is not an option for me because I have many IOT devices with certificates because many browsers are annoying with their war on self-signed certs so having your own CA that is trusted on every device within the LAN is great and I provides me the option of generating IOT useless-certificates with 50 year expiration dates just so browsers wont bug me when accessing the webinterfaces)..
My mTLS also runs based on that private CA and I have imported the CA into android with the mTLS client certificate that is required for more services than Immich (like HASS).
In Immich app I imported the certificate as wel and selected the self-signed cert checkbox to get it to connect, other then not being able to download it all works flawlessly.

Reconfiguring the proxy to allow http

This seems like a bad idea. A better "workaround" would be using real WebPKI certificates.

I already evaluated risk-benefit. Not gonna do that. My instance is not public anyways and is only accessed through LAN or VPN. I can survive with unencrypted traffic for a while. I don't have the resources nor willpower nor any plan to make it a public instance just to have letsencrypt serve me a certificate for a private server with a subdomain that's completely local to my LAN, just to work around an evident bug.

Edit: of course other people should do their evaluations. For public facing instances you certainly don't want to run HTTP mode.

In Immich app I imported the certificate as wel and selected the self-signed cert checkbox to get it to connect, other then not being able to download it all works flawlessly.

Yup, another issue with Immich is that you need to flag the "ignore self signed cert" or the instance doesn't work.

Technically the certificate is in fact NOT self signed, it's just been signed by a CA that immich does not recognize. Even if I install the root CA on my android phone (which I did right as I configured my root CA...) Immich does not take that into account, au contraire I have other apps that don't have this issue i.e. Jellyfin, Nextcloud, NTFY...

make it a public instance just to have letsencrypt serve me a certificate

You don't have to make something publically accessible to get a let's encrypt cert. For example you can use a DNS-01 type challenge, which also lets you get a wildcard certificate if you like.

make it a public instance just to have letsencrypt serve me a certificate

You don't have to make something publically accessible to get a let's encrypt cert. For example you can use a DNS-01 type challenge, which also lets you get a wildcard certificate if you like.

Yes but I can't generate certificates with years of lifetime for my private services that require certificates but not the redicules enterprise grade expiration dates, so that's means having to keep monitoring certification expiration or my local services start failing if renewalls didnt succeed..
I already have that job outside of my home as an IT administrator don't need that for my local infrastructure that's just "private".

i just created a guide documenting how to securely setup TLS reverse proxy on the Internet for anywhere Immich mobile app use.

you can review these docs, https://github.com/ckuyehar/immich/blob/ckuyehar-docs-updates/docs/docs/guides/remote-access.md and https://github.com/ckuyehar/immich/blob/ckuyehar-docs-updates/docs/docs/administration/reverse-proxy-tls.md

please note: this doesn't resolve the issue - this merely works around the existing capabilities of Immich today

#15230

Closed as "Not planned"?
Does this mean mTLS stays broken for downloads?

As explained in #15230 the dev team does not plan to work on these experimental features but if someone is interested in writing a PR we will consider it.