summaryrefslogtreecommitdiff
path: root/vpn/renew-cert.sh
diff options
context:
space:
mode:
authoryyamashita <yyamashita@hetzner.yyamashita.com>2026-07-01 10:48:36 +0900
committeryyamashita <yyamashita@hetzner.yyamashita.com>2026-07-01 10:48:36 +0900
commit47e47957cc363511d1de5f78caff7ff77ed7d0c7 (patch)
treebd18418d49742bf285b010c59b03a462383b8c3a /vpn/renew-cert.sh
parentacff0eebed7cd89a5b50db2366cd055d6aed67de (diff)
Serve YE1 intermediate CA cert for Android VPN trust chain
Android (XREAL Beam Pro) can't validate the server cert because it lacks the Let's Encrypt YE1 hierarchy in its system trust store. The fix: - Serve YE1 cert at https://vpn.yyamashita.com/ca.pem via Caddy - Android VPN profile: set CA certificate to this downloaded cert - install.sh / renew-cert.sh now extract and copy YE1 to caddy dir Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Diffstat (limited to 'vpn/renew-cert.sh')
-rw-r--r--vpn/renew-cert.sh8
1 files changed, 7 insertions, 1 deletions
diff --git a/vpn/renew-cert.sh b/vpn/renew-cert.sh
index 50f8784..b199350 100644
--- a/vpn/renew-cert.sh
+++ b/vpn/renew-cert.sh
@@ -14,5 +14,11 @@ docker compose -f "$CADDY_DIR/docker-compose.yml" exec -T caddy \
cat "${CADDY_CERT_BASE}.key" > certs/server.key
chmod 600 certs/server.key
-docker compose exec vpn swanctl --load-creds --noprompt
+# チェーン分割 + Android 用 CA 証明書更新
+awk '/BEGIN CERTIFICATE/{n++} n==1' certs/server.crt > certs/server-leaf.crt
+awk '/BEGIN CERTIFICATE/{n++} n>1' certs/server.crt > certs/server-chain.crt
+mv certs/server-leaf.crt certs/server.crt
+awk '/BEGIN CERTIFICATE/{n++} n==1' certs/server-chain.crt > "$CADDY_DIR/ca.pem"
+
+docker compose restart
echo "完了。証明書を更新してリロードしました。"