Ah, OK, on localhost it doesn’t auto-redirect. On public interfaces, it absolutely does, and it will give the warning because of the self-signed certificate. I just tested that with a fresh install of Cockpit on TW, and that is the behavior.
ETA: https://cockpit-project.org/guide/latest/https documents this.
That makes sense, I guess, since a localhost connection is not likely to be sniffed. But regardless, the warning message is due to the certificate being self-signed, and generally isn’t a concern under those circumstances.
One could always set up their own CA, put it in the trust chain, and then sign your own certificates - or get an external domain and get a real certificate, but for admin tools run on a local network only, that’s generally going to be overkill unless those services are exposed on the public Internet.