So here's my issue, and as I see it a major issue for IoT devices in general that are not exposed to the internet:
To provide secure communication, a device needs an SSL cert. Need this for HTTPS, secure websockets, etc. Problem is that browsers have declared war on self-signed certificates and even unrecognized CA's (so much for using mkcert). So then yes, you can use Let's Encrypt, but that requires exposing your device to the internet...and that's a no go in most customer environments, especially when there's no internet to connect to. But it's also crap to transmit everything in plain text, including passwords, as rogue devices on the intranet could be listening.
Requiring users to add a custom CA (a la mkcert) to their trusted CAs is way too advanced for the lay user and isn't going to work either.
Has anyone else been faced with this, and if so, what did you do? Right now it looks like plaintext HTTP and unencrypted websockets...