>Asks client if the proxy can use self-signed cert
>Client agrees, no problem
>Deploys
>Client complains about "an error they're getting"
>The error: "Error in connection establishment: net::ERR_CERT_AUTHORITY_INVALID"

:|
Am I a joke to you? Or am I just talking to a brick wall over there?

But why couldn't the client use something like let's encrypt

@Sony-wf-1000xm3 They want the proxy exposed using only an IP address, not a domain name. And LE does not offer certs valid for IPs ¯\_(ツ)_/¯

You are talking to a human. Use human words. "Is it okay if you will see an error the first time you access the website from a new device? The error can be disabled, and the alternative is paying $x monthly for a certificate or using a domain name.

@Aldar oof this sounds like security by obscurity. Use a domain name for fucks sake

@homo-lorens Well, excuse me for having thought that a web application developer, authorized by his employer to ask for changes to be made on their production environment, already knows the basic concepts surrounding SSL/TLS.

Sure, if I was talking to a non-IT person, I would go into details, and/or explain stuff, but we're talking about a person working with technology and should have at least some background in the security they can/should use, and how it works so that they don't run the chance of exposing stuff they don't want to.

@eval We ended up using one, but that was not a decision for me to make. I am a mere sysadmin who does stuff clients want.

And if they want to have a service accessible only directly via IP, then I'd discourage... But ultimately, its not as ugly as some other stuff I encountered... Their decision.

@Aldar ofc my comment was directed at the client.