At the risk of being that guy, I just wanted to clarify what I was saying. I have no expectation that Discourse ignore self-signed certificate errors. I understand what a self-signed certificate means, and why that would be A Bad Thing.
My particular use case is that I am doing some prototyping of getting an Intranet to talk to Discourse. Just to test things out, we created a self-signed certificate so we could have both our intranet and Discourse talking over SSL. Now, Discourse itself works fine with the self-signed certificate. The browsers, quite appropriately, throw up big scary warnings which (as a developer) I know I can safely ignore inside our firewall, since we created the certificate ourselves.
What was confusing me is that the Discourse API works fine over SSL with a self-signed certificate if you are logged in and are passing cookies to authenticate. If it didn't, the Discourse user interface wouldn't work at all. Also, unauthenticated requests to the API work fine too. For example, you can do the following:
> curl "https://example.com/user_actions.json?username=myusername&filter=4,5,6,7,9"
That will return data just fine (assuming you have public content in the system). However, as soon as you add an API key in, then Discourse returns a 403 error. For example:
> curl "https://example.com/user_actions.json?username=myusername&filter=4,5,6,7,9&api_key=618e6eb2670a5eb9579b26bea965e8cf9921870c90551091b11d7e5dee1948f9&api_username=myusername"
The confusing thing is, that when you add the API key, what would have worked just fine over clear text suddenly stops working.
Now, I'm not writing this up to have a whinge and beg the Discourse developers to add an extra configuration option (though that would be nice). I'll get a signed SSL certificate in the near future and everything will be peachy (in theory). I just thought it would be worth documenting in case someone else runs into the same issue, since it is not obvious from the error messages that the issue is related to the self-signed certificate. It just looks like your API key has suddenly stopped working (which it hasn't).