From 903645e7899c1670ee0bc46aba78d30643cb083a Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 22 Jun 2026 13:19:12 +0000
Subject: [PATCH] Trust self-signed certs on RDP connections (FreeRDP rejects
 them by default)

---
 backend/src/routes/guacamole.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/backend/src/routes/guacamole.ts b/backend/src/routes/guacamole.ts
index 8da4d88..067b7c4 100644
--- a/backend/src/routes/guacamole.ts
+++ b/backend/src/routes/guacamole.ts
@@ -76,6 +76,11 @@ export async function guacamoleRoutes(app: FastifyInstance) {
       const settings: Record<string, unknown> = { hostname, username, password: target.secrets.password ?? '' }
       if (port) settings.port = port
       if (domain) settings.domain = domain
+      // Self-hosted RDP/VNC targets almost always present a self-signed cert; FreeRDP
+      // (via guacd) rejects those by default, so trust them rather than failing the
+      // connection. There's no MITM concern here since ArchNest connects directly to
+      // a hostname/IP the user configured themselves.
+      if (protocol === 'rdp') settings['ignore-cert'] = 'true'
 
       const token = new Crypt(CRYPT_CYPHER, CRYPT_KEY).encrypt({
         connection: { type: protocol, settings },