diff --git a/cmd/embedded-cluster/join.go b/cmd/embedded-cluster/join.go
index e31f97f04..539672b85 100644
--- a/cmd/embedded-cluster/join.go
+++ b/cmd/embedded-cluster/join.go
@@ -3,6 +3,7 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -72,14 +73,17 @@ func (j JoinCommandResponse) EmbeddedOverrides() (dig.Mapping, error) {
 // getJoinToken issues a request to the kots api to get the actual join command
 // based on the short token provided by the user.
 func getJoinToken(ctx context.Context, baseURL, shortToken string) (*JoinCommandResponse, error) {
-	url := fmt.Sprintf("http://%s/api/v1/embedded-cluster/join?token=%s", baseURL, shortToken)
+	url := fmt.Sprintf("https://%s/api/v1/embedded-cluster/join?token=%s", baseURL, shortToken)
 	ctx, cancel := context.WithTimeout(ctx, time.Minute)
 	defer cancel()
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create request: %w", err)
 	}
-	resp, err := http.DefaultClient.Do(req)
+
+	// this will generally be a self-signed certificate created by kurl-proxy
+	insecureClient := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
+	resp, err := insecureClient.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("unable to get join token: %w", err)
 	}