top | item 24413093

(no title)

Yes, because the desktop client runs on localhost (or 127.0.0.1 actually), there is no way to produce a valid self-signed cert that won't cause browsers to complain. The desktop electron app causes this problem to disappear from view, but otherwise it's more or less unavoidable if you want to allow people to connect over https to a service running on loopback - in our case it's really what we want as we're a bit paranoid about exposing users to internet-borne risk!

discuss

Naac|5 years ago

What? Why can't you just use a reverse proxy that terminates ssl?

I don't think you're going to get any traffic if the landing page people see is a security warning.

chekovcodes|5 years ago

I don't think a reverse proxy would work in this case due to the JWT security requirements (callbackable internet accessible endpoints). In any case, that's one of the big reasons we are favoring the electron app as the primary desktop interface because it takes the problem away. The browser based interface is targeted at server deploys and in those cases if you're hosting from a proper ip address, you want to install your own cert of course.