Do not disable cert verification

This page is a capture in the next bucket of the product backlog — a pre-sprint idea, not yet pulled into a sprint as a story.

At present we've hacked cert verify to false. We should not do this. Gemini:

You cannot use Let's Encrypt for development purposes because it requires a public domain name that Let's Encrypt can verify, and your local development server is not publicly accessible. The recommended approach is to create a local certificate authority (CA) using a tool like mkcert to sign your certificates, which allows you to bypass browser warnings for local domains like localhost.

Option 1: Use mkcert for local development

• Install mkcert: Follow the instructions to install the mkcert tool on your system.
• Install the local CA: Run the command to install the local CA root certificate into your system's trust store. This is a one-time setup.
• Generate a local certificate: Use mkcert to generate certificates for your local development domains (e.g., localhost, my-app.local). The generated certificates will be signed by your trusted local CA and will not cause browser warnings.

Option 2: Use Let's Encrypt with a real public domain

Purchase a domain: Buy a public domain name (e.g., mydomain.dev).

• Use an ACME client: Use an ACME client like Certbot to automate the certificate process. You can run certbot on a server that is accessible to the public internet.
• Complete the validation: The client will need to verify your ownership of the domain through a DNS or HTTP challenge, which requires the domain to be publicly reachable.
• Deploy the certificate: Let's Encrypt will issue a certificate that you can then deploy to your development server.

Why Let's Encrypt doesn't work for local development

• Let's Encrypt's primary purpose is to secure public-facing websites by automatically verifying domain ownership.
• They use ACME protocol challenges (DNS or HTTP) that require the public internet to access your server at the specified domain.
• Since your local server is not on the public internet, it cannot respond to these challenges, and Let's Encrypt cannot verify your ownership of the domain.