[thewataccount]

> All you have to do is prevent your TLS calls from trusting any certs signed by manually trusted CAs that Proxyman/Charles/etc might have had the user add.

Yeah but I have certs signed by trusted root authorities a la letsencrypt?

[varenc]

The letsencrypt root CA is included in this. If you trust only a device’s default trusted CA all letsencrypt certs will work. Also they don’t have their own root CA: https://letsencrypt.org/certificates/

[thewataccount]

I'm dumb and realized I can get a letsencrypt cert but the domain won't match.....