summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoryyamashita <yyamashita@hetzner.yyamashita.com>2026-07-02 21:43:55 +0900
committeryyamashita <yyamashita@hetzner.yyamashita.com>2026-07-02 21:43:55 +0900
commit71e307963829e7a4a7f7277829a2a60791747cb2 (patch)
tree2244155521572b635828f300e1fd1076931ceccd
parentd99eef8641fe819cb0cc90e7eea0514b769e6389 (diff)
Force send ISRG Root X1 via local.cacerts for Android compat
strongSwan skips self-signed root CAs from CERT payloads by default. Setting cacerts = chain-3.crt in the local section forces it to include ISRG Root X1 explicitly so Android 12 can complete trust chain validation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
-rw-r--r--vpn/swanctl.conf.tpl1
1 files changed, 1 insertions, 0 deletions
diff --git a/vpn/swanctl.conf.tpl b/vpn/swanctl.conf.tpl
index 1fc84df..1455bcf 100644
--- a/vpn/swanctl.conf.tpl
+++ b/vpn/swanctl.conf.tpl
@@ -8,6 +8,7 @@ connections {
local {
auth = pubkey
certs = server.crt
+ cacerts = chain-3.crt
id = ${VPN_DOMAIN}
}