Okay, so this was good learning. Documented so it may help others who are beginners like me:
(credits to many websites which I read - none of the below is original thinking from my side)
a) It is correct that you donāt need cordovaHTTP - standard $http works and all you need to do is change http to https (I wonder why people use cordovaHTTP then)
b) While generating a self-signed certificate (if you donāt have an option to use a paid certificate and the server is used for a small set of people), it is important that the self signed certificate you generate has the same common name as your server. For example, lets say you are deploying your solution in a server that maps to a hostname of āhttps://myserver.ddns.netā make sure when generating the key you use a common name of āmyserver.ddns.netā. If you donāt do this, when you try and validate the cert, it will complain that the name you are using to access the URL does not match the common name within the cert. Specifically, if you use built in commands such as make-ssl-cert (available in Ubuntu), it uses the server hostname which may not be the same as your external url
A good way to generate and use the self-signed-cert (for Apache in this example):
(you can specify any directory, I chose to store it in ssl/)
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/myserver.key -out /etc/apache2/ssl/myserver.crt
Next up, assuming you have already configured apache for SSL
vi /etc/apache2/sites-available/default-ssl.conf
and update these lines with the location of your certs
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
c) Validate your server certs - there are many, but I found this site to be one of the best
https://www.ssllabs.com/ssltest/
You will potentially see two issues when you validate:
c.1) Trusted No NOT TRUSTED (Why?)
c.2) Chain issues Contains anchor
The first one is expected. But the second one creates problems on mobile devices (it works fine on desktop with ionic serve -c)
To fix for mobile device:
a) email the certificate to your mobile device (/etc/apache2/ssl/myserver.crt) and install that certificate (DO NOT just go to your site with mobile safari - that just adds an exclusion for mobile safari - your app will still not work)
b) Install that cert from email - just open it and follow steps. I did the same for Android as well (this step was important for iOS, I just did it for Android too to make sure - never tested if android works without it)
Now you can access HTTPs on mobile devices with self-signed certs
Iāve tested on:
a) iOS 5S 8.3
b) Android 4.4 --> both debug and release builds
Phew.