# Cockpit Connectivity Notes ## Socket Activation (normal behavior) Cockpit is socket-activated — `cockpit.socket` listens on `*:9090` and spawns `cockpit.service` on demand. Seeing `cockpit.service` as `inactive (dead)` is **normal** when no one is connected. ``` cockpit.socket → active (listening) on *:9090 cockpit.service → inactive (dead) — wakes on connection ``` ## HTTPS required Cockpit **refuses plain HTTP**. Always use `https://`: - `https://:9090` ✓ - `http://:9090` ✗ (connection refused or hangs) ## Self-signed certificate Cockpit uses a self-signed cert by default. Browsers show a warning that must be bypassed (click "Advanced" → "Proceed"). ## Tailscale access With Tailscale installed on the server, access Cockpit via the Tailscale IP: ``` https://:9090 ``` No firewall changes needed — Cockpit listens on `*:9090` which includes the `tailscale0` interface. Same HTTPS + self-signed cert caveats apply.