Appearance
HTTPS and certificates
Audience: Event organisers and timing operators who download SportIdent cards or back up stations from a computer other than the server.
meshO Manager runs fine over plain http:// for almost everything. There's one exception: reading a SportIdent download station (BSF7-USB / BSF8-USB) in the browser uses the Web Serial API, and browsers only allow that on a secure connection. On the server computer itself that's free (localhost always counts as secure); on any other computer it means turning on HTTPS and trusting meshO's certificate once.
This page explains when you need HTTPS, how to switch it on, how meshO's certificate works, how to trust it on each device, and — importantly — exactly what happens if you don't.
Do you even need HTTPS?
Most events don't. Work through this first:
| Your situation | What to do |
|---|---|
| You download cards on the same computer that runs the server | You don't need HTTPS. Just open Manager at http://localhost:5154/manager. localhost is always a secure context, so Web Serial works. |
| You only use Manager to view results, register competitors, run leaderboards, or watch radio punches on other devices | You don't need HTTPS. None of those use Web Serial. Plain HTTP over the LAN is fine. |
| You download cards or back up stations on a different computer to the server (a separate download laptop) | You need HTTPS on the server, and the certificate trusted on that download laptop. Read on. |
Why the restriction? The Web Serial API talks directly to USB hardware from inside the browser. Browsers (Chrome and Edge) only expose it on
localhostor overhttps://. That's a browser security rule, not a meshO choice — there's no setting that turns it off. See Downloading cards.
On the server, use
localhostspecifically — not its host name or IP. Onlylocalhost(and127.0.0.1) counts as a secure context over plain HTTP. If you reach the same machine through its own host name or LAN IP — sayhttp://192.168.1.42:5154/manager— the browser treats it as an ordinary insecure origin and withholds Web Serial, so the download affordance won't appear even though you're sitting at the server. Openhttp://localhost:5154/manager(the address the tray / menu bar app uses) and it just works, no HTTPS needed.
Turn on HTTPS
- On the server computer, open Settings → Server.
- Switch on Enable HTTPS (for download / station-backup machines).
- Leave the HTTPS Port at the default (
5155) unless it clashes with something else on the machine. It must be different from the HTTP port. - Save your settings.
- Restart the server — HTTPS only binds at startup. On the server you can do this from the tray / menu bar icon: Restart Server.
After the restart, Settings → Server shows a table of Access links. The secure ones are tagged HTTPS. These are the links your download laptop should use.
HTTP never goes away. Turning on HTTPS adds a secure endpoint alongside the existing plain-HTTP one. Everything that already worked over HTTP — the tray app opening
localhost, leaderboard TVs, spectator phones, registration laptops — keeps working exactly as before. If HTTPS can't start for any reason (see Troubleshooting), Manager quietly falls back to HTTP-only rather than failing to start.
How meshO's certificate works
A secure (https://) connection needs a certificate. Public websites buy one from an authority your browser already trusts. meshO can't do that — it runs on your laptop on a private network with no public name — so instead it acts as its own small certificate authority (CA):
- The CA is created automatically the first time HTTPS is enabled and is reused from then on.
- It signs a short-lived server certificate for this computer's current name and LAN IP. If you rename the computer or it moves to a different network, that server certificate has to change — meshO handles this for you (see If the server is renamed or its IP changes).
- A device trusts the CA once, and then every certificate the CA signs is trusted too. That's why you install the CA, not the per-machine certificate.
The certificate files live in your meshO data folder under certs/. The private keys never leave the server.
If the server is renamed or its IP changes
The per-machine server certificate is tied to the server's name and LAN IP, so if either of those changes the certificate must be updated. The important thing to know:
A rename or new IP does not mean reinstalling certificates on anyone's device.
- It's automatic. meshO notices the new name/IP and reissues the server certificate itself. You never create, request, or copy a certificate by hand.
- Restart the server to apply it. HTTPS binds its certificate when the server starts, so restart the server (tray / menu bar → Restart Server) for the new certificate to be served. Until you restart, the old certificate is still in use, so connecting by the new name will show a name-mismatch warning.
- No reinstalling — on the server or the clients. The reissued certificate is signed by the same long-lived meshO CA your devices already trust, so that trust carries straight over. You install the CA once per device and never again, even after a rename or network change.
The only thing to get right afterwards is that each device reaches the server by a name or IP the new certificate covers — the current computer name, its
.localname, and the LAN IP, all listed in the Access links table in Settings → Server. If anyone bookmarked the old address, update the bookmark.
The single exception is the rare case where meshO has to regenerate the CA itself (for example, the CA expired after ten years, or its file was corrupted). That does require re-trusting the new CA on every device — but it doesn't happen on an ordinary rename or IP change.
Trusting the certificate
"Trusting" is the step that tells a device's browser the meshO CA is legitimate. It's separate from turning HTTPS on — HTTPS serves whether or not anything trusts it; trusting is what makes the browser warning go away.
You trust the CA once per device that will open a secure link.
On the server computer
In Settings → Server, under Trust the certificate, click Install certificate on the server. What this does depends on the operating system:
- Windows — adds the CA to your user's trust store directly. You'll get a one-time Windows consent prompt; click Yes.
- macOS — adds the CA to your login keychain. macOS may ask for your keychain or login password.
- Linux — system trust usually needs root, so the automatic button often can't do it. Use the manual steps below.
When it works, the button is replaced by a green Trusted on the server chip. If it didn't take, you'll see a Not trusted yet chip and a message explaining why — fall back to the manual steps under "The button didn't work?" on that screen, or below.
On other machines (download / backup laptops)
These are always done by hand, because meshO can only automate trust on the machine it's running on.
- On that laptop, open Manager over the LAN — e.g.
http://mesho.local:5154/managerorhttp://<server-ip>:5154/manager. - Go to Settings → Server and click Download certificate (or browse directly to
http://<server-ip>:5154/manager/api/https/ca.crt). - Install the downloaded file following the steps for that device's operating system, below.
- Re-open the laptop using the HTTPS access link. The warning should be gone and card download will work.
Installing manually
The downloaded file is named meshO-CA-<computer>.crt. Install it as a trusted root certificate authority:
Windows
- Double-click the
.crtfile → Install Certificate. - Choose Current User → Next.
- Select Place all certificates in the following store → Browse → Trusted Root Certification Authorities → OK.
- Next → Finish. Confirm the security prompt with Yes.
- Fully close and reopen the browser.
macOS
- Double-click the
.crtto open it in Keychain Access (it lands in the login keychain). - Find meshO Manager Local CA, double-click it, and expand the Trust section.
- Set When using this certificate to Always Trust.
- Close the window — macOS will ask for your password to save the change.
iPad / iPhone (iOS / iPadOS)
Apple splits this into install and trust:
- Open the download link in Safari (other browsers won't trigger the profile install). Tap Allow when asked to download a configuration profile.
- Go to Settings → General → VPN & Device Management, tap the downloaded meshO profile, and tap Install (enter your passcode).
- Then go to Settings → General → About → Certificate Trust Settings and switch on the meshO CA under Enable full trust for root certificates. This second step is essential — without it the certificate is installed but not trusted.
Android
- Open Settings and search for Install a certificate, or go to Security → Encryption & credentials → Install a certificate → CA certificate.
- Pick the downloaded
meshO-CA-*.crtfile and confirm.
Some Android builds and some browsers (notably Chrome on certain versions) only honour user-installed CAs in limited ways. If a secure link still warns after installing, prefer running the download station on a Windows or Mac laptop.
Linux (system + Chrome/Chromium)
bash
sudo cp meshO-CA-*.crt /usr/local/share/ca-certificates/
sudo update-ca-certificatesChrome and Chromium keep their own certificate store separate from the system one. Add it there too: ⋮ → Settings → Privacy and security → Security → Manage certificates → Authorities → Import, then tick "Trust this certificate for identifying websites."
What happens if you don't trust the certificate
Nothing breaks, and nothing is at risk — but the experience degrades. Specifically:
- The server still starts and HTTPS still runs. Trusting the CA is not required for the secure endpoint to come up. Manager keeps serving both HTTP and HTTPS.
- HTTP keeps working everywhere. The tray app, leaderboard TVs, registration laptops, spectator phones — all unaffected.
- Secure links show a browser warning. Opening an HTTPS access link on a device that hasn't trusted the CA produces "Your connection is not private" (Chrome:
NET::ERR_CERT_AUTHORITY_INVALID; Edge similar). You can usually click Advanced → Proceed to continue. - Card download may be blocked. This is the one that actually bites: on an untrusted secure origin, some browsers withhold the Web Serial API, so the Connect/download affordance won't appear even after you click past the warning. Trusting the certificate is what reliably enables it.
- The Settings screen tells you. Under Trust the certificate you'll see a Not trusted yet chip and a yellow note explaining the above, instead of the green Trusted on the server chip.
The simplest workaround of all: if the computer doing the downloading is the server, don't bother with any of this — open Manager at
http://localhost:5154/manager.localhostis automatically a secure context, so Web Serial works with no certificate and no warning. HTTPS only matters for download/backup stations on a separate computer.
Troubleshooting
HTTPS is enabled but the access table shows no secure links / a warning banner. HTTPS is enabled in settings but didn't bind at startup. The banner gives the reason. Common causes:
- The HTTPS port equals the HTTP port. They must differ — change HTTPS Port (default
5155). - The HTTPS port is already in use by another program. Pick a free port and restart.
- The certificate couldn't be prepared. Rare; see the server log. Manager degrades to HTTP-only so the rest of the event is unaffected.
Remember a setting change only takes effect after a server restart.
I trusted it, but the browser still warns.
- Make sure you trusted it on the device showing the warning, not just the server.
- Fully quit and reopen the browser — certificate stores are read at startup.
- Check you opened the link by the same name the certificate was issued for. If you trusted via
mesho.localbut open by raw IP (or vice-versa), and the certificate only covers one of them, you'll still get a name-mismatch warning. The access table lists both name and IP variants. - On iОS, confirm you completed the second step (Certificate Trust Settings), not just the profile install.
I renamed the computer / changed networks and now it warns again. meshO reissues the server certificate automatically for the new name/IP, signed by the same CA — so devices that already trust the CA keep working, with no reinstall needed. Two things to check: (1) restart the server so the new certificate is actually served (it binds at startup), and (2) make sure you're reaching the machine by a name/IP the new certificate covers. If a device still warns after that, it most likely never trusted the CA in the first place. See If the server is renamed or its IP changes for the full explanation.
Can I avoid certificates entirely? Yes — run the download station on the server computer and use http://localhost:5154/manager. That's the recommended setup for small events.
Security notes
- The meshO CA is generated locally and its private key never leaves the server. It can only vouch for meshO's own certificates on your machines.
- Trust is installed in the current user's store, not system-wide where avoidable, keeping the footprint small.
- The per-machine server certificate is short-lived and reissued as needed, so a leaked key has a limited lifetime.
- Trusting the meshO CA does not let meshO (or anyone else) intercept your other browsing — a privately-generated CA can only sign certificates meshO holds the keys for, and it lives only on the devices you chose to install it on. Remove it any time from the same trust store you added it to.
Related
- Downloading cards — the Web Serial download flow that HTTPS exists to support.
- Download, install and update — installing the server and opening Manager on other devices.
- Multi-operator setup — network and workstation setup for a multi-person event.
- Settings — the Server section where HTTPS, ports, and LAN access live.
- Troubleshooting — general "it won't start / won't connect" help.