Chronicle uses automatic HTTPS setup for secure microphone access and remote connections.
Modern browsers require HTTPS for:
- Microphone access over network (not localhost)
- Secure WebSocket connections (WSS)
- Remote access via Tailscale/VPN
- Production deployments
The main backend uses Caddy for automatic HTTPS:
Configuration: backends/advanced/Caddyfile
Activation: Caddy starts when using --profile https or when wizard enables HTTPS
Certificate: Self-signed for local/Tailscale IPs, automatic Let's Encrypt for domains
Ports:
443- HTTPS (main access)80- HTTP (redirects to HTTPS)
Access: https://localhost or https://your-tailscale-ip
The speaker recognition service uses nginx for HTTPS:
Configuration: extras/speaker-recognition/nginx.conf
Certificate: Self-signed via ssl/generate-ssl.sh
Ports:
8444- HTTPS8081- HTTP (redirects to HTTPS)
Access: https://localhost:8444
When you run ./wizard.sh, the setup wizard:
- Asks if you want to enable HTTPS
- Prompts for your Tailscale IP or domain
- Generates SSL certificates automatically
- Configures Caddy/nginx as needed
- Updates CORS settings for HTTPS origins
No manual setup required - the wizard handles everything.
Since we use self-signed certificates for local/Tailscale IPs, browsers will show security warnings:
- Click "Advanced"
- Click "Proceed to localhost (unsafe)" or similar
- Microphone access will now work
For production with real domains, Caddy automatically obtains valid Let's Encrypt certificates.
HTTPS not working:
- Check Caddy/nginx containers are running:
docker compose ps - Verify certificates exist:
ls backends/advanced/ssl/orls extras/speaker-recognition/ssl/ - Check you're using
https://nothttp://
Microphone not accessible:
- Ensure you're accessing via HTTPS (not HTTP)
- Accept browser certificate warning
- Verify you're not using
localhostfrom remote device (use Tailscale IP instead)