diff options
| author | yyamashita <yyamashita@hetzner.yyamashita.com> | 2026-07-02 21:43:55 +0900 |
|---|---|---|
| committer | yyamashita <yyamashita@hetzner.yyamashita.com> | 2026-07-02 21:43:55 +0900 |
| commit | 71e307963829e7a4a7f7277829a2a60791747cb2 (patch) | |
| tree | 2244155521572b635828f300e1fd1076931ceccd | |
| parent | d99eef8641fe819cb0cc90e7eea0514b769e6389 (diff) | |
Force send ISRG Root X1 via local.cacerts for Android compat
strongSwan skips self-signed root CAs from CERT payloads by default.
Setting cacerts = chain-3.crt in the local section forces it to include
ISRG Root X1 explicitly so Android 12 can complete trust chain validation.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
| -rw-r--r-- | vpn/swanctl.conf.tpl | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/vpn/swanctl.conf.tpl b/vpn/swanctl.conf.tpl index 1fc84df..1455bcf 100644 --- a/vpn/swanctl.conf.tpl +++ b/vpn/swanctl.conf.tpl @@ -8,6 +8,7 @@ connections { local { auth = pubkey certs = server.crt + cacerts = chain-3.crt id = ${VPN_DOMAIN} } |
