I could be wrong about this, but currently the server will setInsecureSkipVerify if the certificate is self-signed, but the agent does not and has no configuration to allow insecure (as far as I saw) so it will fail to connect.

More context incoder/vscode-coder#349

I think normally you just want to add the certificates to your image, even if they are self-signed, but as we support insecure in some other scenarios (VS Code plugin, notifications) I think you could argue it should be supported everywhere.