nself trust

Set up your local machine to serve nSelf projects over HTTPS on *.local.nself.org. One command installs a local CA via mkcert, configures port forwarding, and writes the resolver config. Run once per machine — the setup is idempotent.

Quick start

# Install everything (run once per machine)
nself trust install

# Check what's installed
nself trust status

# Remove everything
nself trust uninstall

Synopsis

nself trust <SUBCOMMAND>

Description

nSelf local development runs on *.local.nself.org subdomains (for example,api.local.nself.org, auth.local.nself.org). These subdomains resolve to127.0.0.1 via a Cloudflare wildcard record, but your browser still needs a trusted TLS certificate to serve them over HTTPS without warnings.

nself trust install handles this in three steps:

1. Installs mkcert (if not already present) and adds its root CA to your system trust store
2. Generates a wildcard certificate for *.local.nself.org and places it where Nginx expects it
3. Writes port-forwarding rules so Nginx can bind to ports 80 and 443 without requiring root for subsequent starts

The command is idempotent — if all three components are already configured, it exits immediately without prompting for admin credentials.

Subcommands

nself trust install

Install the local CA, generate the wildcard certificate, and configure port forwarding. Requires admin privileges once; idempotent on subsequent runs.

nself trust install
# Checking existing trust configuration...
# mkcert CA:          already installed
# Wildcard cert:      already present
# Port forwarding:    configuring...  done
# Trust setup complete.

On macOS, port forwarding uses a LaunchDaemon and pfctl. On Linux it uses setcap or a systemd unit. The admin prompt fires at most once per component — if the component is already in place, no prompt appears.

nself trust status

Print the status of each trust component.

nself trust status
# mkcert CA:       installed (expires 2031-05-07)
# Wildcard cert:   present   (expires 2027-05-07)
# Port forwarding: active    (LaunchDaemon com.nself.portforward)
# DNS resolver:    active    (nameserver 127.0.0.1 port 5353)

nself trust uninstall

Remove all trust components: revoke the CA from the system trust store, delete the wildcard certificate, and remove port-forwarding rules.

nself trust uninstall
# Removed mkcert CA from system trust store
# Deleted wildcard certificate
# Removed port-forwarding LaunchDaemon
# Trust configuration removed.

What requires admin

Troubleshooting

Browser still shows certificate warning

# Verify the CA is in the trust store
nself trust status

# Re-run install if CA is missing
nself trust install

# Then restart your browser — some browsers cache trust decisions

Port 443 already in use

# Find what's holding the port
lsof -i :443

# Stop it, then re-run
nself trust install

Port forwarding not active after reboot

# The LaunchDaemon should load automatically. Check:
launchctl list | grep nself

# If missing, re-run install
nself trust install

Related

• nself dns-setup — configure local DNS resolver
• nself start — start the full stack
• nself doctor — diagnose setup issues