Comment 4 for bug 1639807

SSL must be enabled for UI to work, since enabling SSL brings in haproxy which we then use to proxy requests to the services which UI calls upon. Agreed, however, that the assumption that using self-signed certificates also means assuming the user knows how to configure their environment (in this case, the browser) to use this self signed certificate. I know that's a difficult line to take but it would also turn people more towards using legitimate SSL certificates from vendors such as LetsEncrypt or using their existing CA infrastructure.

I had suspected that including either/or the root CA or intermediate from the certmonger 'local' CA store we could drop clues to Firefox to tell it how to verify the self-signed certificate but using the CA (/etc/pki/ca-trust/source/anchors/cm-local-ca.pem) would work, but my tests didn't seem to indicate this would work.

Subscribing Juan Antonio Osorio since he knows SSL ins and outs very well and should be able to provide some excellent feedback and options.