feat: auto-trust self-signed certificate on macOS and Linux #58
Description
Problem
After PR #55 (HTTPS by default), users see a browser certificate warning on every first visit because the auto-generated certificate is self-signed and not trusted by the OS/browser.
Chrome also shows NET::ERR_CERT_AUTHORITY_INVALID rather than a simple unknown-cert warning because the current cert generation uses only CN without a Subject Alternative Name (SAN), which Chrome requires.
Proposed solution
1. Fix SAN in cert generation
Update the openssl command in all 3 docker-compose files to include SAN:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout server.key -out server.crt \
-subj "/CN=${IP}" \
-addext "subjectAltName=DNS:localhost,IP:${IP},IP:127.0.0.1"2. Add trust-cert.sh script
A standalone multi-OS script (~40 lines) that:
- Detects OS (
uname -s) - Checks if cert is already trusted (idempotent)
- Asks user confirmation (requires
sudo) - Installs cert in the appropriate trust store:
| OS | System trust | Chrome | Firefox |
|---|---|---|---|
| macOS | security add-trusted-cert → keychain |
Uses keychain | Uses keychain |
| Linux Debian/Ubuntu | update-ca-certificates |
certutil (nssdb) |
certutil (mozilla) |
| Linux RHEL/Fedora | update-ca-trust |
certutil (nssdb) |
certutil (mozilla) |
Optional dependency on Linux: libnss3-tools (Debian) / nss-tools (RHEL) for Chrome/Firefox trust. Script works without it (just trusts at OS level).
3. Integration
start-apple.sh: calltrust-cert.shautomatically after services start- Linux users: run
./trust-cert.shmanually afterdocker compose up -d - README: document the script
Context
- The cert is already accessible on the host via the
./certsbind mount — nodocker cpneeded - Non-blocking: if the user declines, falls back to current behavior (browser warning)
- Depends on PR fix: make HTTPS the default for all deployment modes #55 being merged first
Files to create/modify
trust-cert.sh(new)docker-compose.yaml,docker-compose.cpu.yaml,docker-compose.apple.yaml(fix SAN)start-apple.sh(call trust-cert.sh)README.md(document trust-cert.sh)