Cross posted from my blog (from January 1). Hopefully useful in this wider community. =)

Relatively recently, I saw Wes Bos' YouTube Short about local https with Caddy.

I tried exactly that, but kept getting the self-signed certificate warnings in browsers. Boo! I figured there must be an extra step on my machine.

TL;DR: This is how I got it working: Install certutil

# Install `certutil`:
brew install nss

So, brew install nss, and then caddy file-server --domain tg.localhost, or even stuff like caddy reverse-proxy --from tg.localhost --to http://localhost:1313.

The first time you run Caddy, it will prompt for your system password to install a trusted root cert. After that, no more "self signed certificate" warnings.

And yes: Change tg.localhost to just about anything you want. Open it in your browser, and it should "just work"!

How I figured it out

When running things like caddy file-server --domain tg.localhost, I noticed warnings in the output. This was while Caddy was trying to create/install the root certificate, and suggesting to install certutil:

WARN    pki.ca.local    installing root certificate (you might be prompted for password)    {"path": "storage:pki/authorities/local/root.crt"}
INFO    warning: "certutil" is not available, install "certutil" with "brew install nss" and try again

It did prompt for local machine password a couple times, so I figured whatever fallback mechanism it was using would be working. But apparently not. Because I was still seeing "self signed" certificate warnings.

I've never used certutil, so wasn't familiar. But I decided to try it and ran brew install nss per the recommendation from Caddy output.

To be sure, I ran caddy trust, (while caddy run was running in another terminal!) and it worked flawlessly.

In subsequent tests, I haven't had to untrust/trust. It "Just Works", as long as certutil is already installed.

Hope that's helpful!