Add mkcert support for browser-trusted HTTPS certificates

No more browser warnings! mkcert creates locally-trusted certs.

Pi Setup:
- Auto-install mkcert during setup
- Generate trusted certs when HTTPS enabled
- Copy CA to /static/ca/rootCA.pem for easy device setup
- New devices can download CA via HTTP and install it

Docker:
- docker-entrypoint.sh checks for mkcert, falls back to openssl
- Shows instructions for CA distribution to other devices

Scripts:
- Added setup-trusted-certs.sh helper for local dev
- Installs mkcert, generates certs, shows device setup instructions

To trust on new devices:
1. Download: http://stegasoo.local/static/ca/rootCA.pem
2. Install as trusted CA in browser/OS

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

frontends/web/docker-entrypoint.sh

@@ -3,6 +3,8 @@
 # Docker entrypoint for Stegasoo Web UI
 # Handles SSL certificate generation and gunicorn startup
 #
+# Supports mkcert for browser-trusted certificates (no warning screen)
+#
 
 set -e
 
@@ -11,24 +13,42 @@ CERT_FILE="$CERT_DIR/cert.pem"
 KEY_FILE="$CERT_DIR/key.pem"
 HOSTNAME="${STEGASOO_HOSTNAME:-localhost}"
 
-# Generate self-signed SSL certificate if HTTPS enabled and certs don't exist
+# Generate SSL certificates
+# Priority: 1) Existing certs, 2) mkcert (trusted), 3) openssl (self-signed)
 generate_certs() {
-    if [ ! -f "$CERT_FILE" ] || [ ! -f "$KEY_FILE" ]; then
-        echo "Generating self-signed SSL certificate for $HOSTNAME..."
-        mkdir -p "$CERT_DIR"
-
-        openssl req -x509 -newkey rsa:2048 \
-            -keyout "$KEY_FILE" \
-            -out "$CERT_FILE" \
-            -sha256 -days 365 -nodes \
-            -subj "/CN=$HOSTNAME" \
-            -addext "subjectAltName=DNS:$HOSTNAME,DNS:localhost,IP:127.0.0.1" \
-            2>/dev/null
-
-        echo "SSL certificate generated."
-    else
+    if [ -f "$CERT_FILE" ] && [ -f "$KEY_FILE" ]; then
         echo "Using existing SSL certificates."
+        return
     fi
+
+    mkdir -p "$CERT_DIR"
+
+    # Try mkcert first (creates browser-trusted certs)
+    if command -v mkcert &> /dev/null; then
+        echo "Generating trusted certificate with mkcert for $HOSTNAME..."
+        cd "$CERT_DIR"
+        mkcert -key-file key.pem -cert-file cert.pem "$HOSTNAME" localhost 127.0.0.1 ::1
+        echo "Trusted certificate generated."
+        echo ""
+        echo "  To trust on other devices, install the CA cert from:"
+        echo "  $(mkcert -CAROOT)/rootCA.pem"
+        echo ""
+        return
+    fi
+
+    # Fallback to self-signed (shows browser warning)
+    echo "Generating self-signed SSL certificate for $HOSTNAME..."
+    echo "(Install mkcert for browser-trusted certs without warnings)"
+
+    openssl req -x509 -newkey rsa:2048 \
+        -keyout "$KEY_FILE" \
+        -out "$CERT_FILE" \
+        -sha256 -days 365 -nodes \
+        -subj "/CN=$HOSTNAME" \
+        -addext "subjectAltName=DNS:$HOSTNAME,DNS:localhost,IP:127.0.0.1" \
+        2>/dev/null
+
+    echo "Self-signed certificate generated."
 }
 
 # Start gunicorn with appropriate settings