since it’s all self hosted it seems like self signed certs would be fine. perhaps they could update their proxy container to generate certs and provide a root for users to trust during setup.