diff options
| author | yyamashita <yyamashita@hetzner.yyamashita.com> | 2026-07-01 10:48:36 +0900 |
|---|---|---|
| committer | yyamashita <yyamashita@hetzner.yyamashita.com> | 2026-07-01 10:48:36 +0900 |
| commit | 47e47957cc363511d1de5f78caff7ff77ed7d0c7 (patch) | |
| tree | bd18418d49742bf285b010c59b03a462383b8c3a /vpn/renew-cert.sh | |
| parent | acff0eebed7cd89a5b50db2366cd055d6aed67de (diff) | |
Serve YE1 intermediate CA cert for Android VPN trust chain
Android (XREAL Beam Pro) can't validate the server cert because it lacks
the Let's Encrypt YE1 hierarchy in its system trust store. The fix:
- Serve YE1 cert at https://vpn.yyamashita.com/ca.pem via Caddy
- Android VPN profile: set CA certificate to this downloaded cert
- install.sh / renew-cert.sh now extract and copy YE1 to caddy dir
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Diffstat (limited to 'vpn/renew-cert.sh')
| -rw-r--r-- | vpn/renew-cert.sh | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/vpn/renew-cert.sh b/vpn/renew-cert.sh index 50f8784..b199350 100644 --- a/vpn/renew-cert.sh +++ b/vpn/renew-cert.sh @@ -14,5 +14,11 @@ docker compose -f "$CADDY_DIR/docker-compose.yml" exec -T caddy \ cat "${CADDY_CERT_BASE}.key" > certs/server.key chmod 600 certs/server.key -docker compose exec vpn swanctl --load-creds --noprompt +# チェーン分割 + Android 用 CA 証明書更新 +awk '/BEGIN CERTIFICATE/{n++} n==1' certs/server.crt > certs/server-leaf.crt +awk '/BEGIN CERTIFICATE/{n++} n>1' certs/server.crt > certs/server-chain.crt +mv certs/server-leaf.crt certs/server.crt +awk '/BEGIN CERTIFICATE/{n++} n==1' certs/server-chain.crt > "$CADDY_DIR/ca.pem" + +docker compose restart echo "完了。証明書を更新してリロードしました。" |
