Module tls 

Self-signed TLS support for --tls mode (Phase 1: no system trust install). Generates a self-signed certificate for the configured domain (with *.<domain> SAN) and persists it under ~/.config/fbi-proxy/certs/ so the same fingerprint survives restarts — browsers can “remember the exception” once.

The browser warning is expected in this phase. Use Phase 2 (fbi-proxy trust) to install a local CA into the system trust store for a clean lock-icon experience.

Functions

build_acceptor

Build a TlsAcceptor for the given domain, reusing a persisted cert if one exists or generating + writing a fresh one if not.

cert_pem_path

Path to the cert file for a given domain (sibling .key lives at the same stem). Use this when you need to install the cert into a system trust store after build_acceptor has materialized it.

default_cert_dir

Where on-disk certs live. Layout: {base}/certs/{domain}.{pem,key}.

generate_self_signed

Generate a SAN-only self-signed cert valid for ~1 year. Returns (cert_pem, key_pem). The Common Name is intentionally left blank — modern browsers ignore CN and only honor SAN entries.

install_to_system_trust

Install cert_path as a trusted root anchor in the system trust store. Idempotent — checks is_trusted first and returns Ok(false) if no install was performed.

is_trusted

Whether the given cert is currently a trusted anchor on this system. Returns false if the check itself can’t be performed (unsupported platform, missing tool) — callers should treat that as “no, attempt install.”

Type Aliases

BoxError