Alpine still gives me a bad cert warning, saying I should either fix it or disable checking. I haven't yet found a way to get Alpine to discriminate between a valid self-signed cert and a bad one.

Well, it can't discriminate since any certificate (except those in your trusted store) that asserts its own validity is suspect. You can either get alpine to not complain e.g.

inbox-path={192.168.100.2:143/user=whatever/tls/novalidate-cert}

or add the public part of the cert into your system's trusted CA store.

Joseph Tam <jtam.home@gmail.com>