summaryrefslogtreecommitdiff
path: root/vpn/renew-cert.sh
diff options
context:
space:
mode:
authoryyamashita <yyamashita@hetzner.yyamashita.com>2026-07-02 21:35:37 +0900
committeryyamashita <yyamashita@hetzner.yyamashita.com>2026-07-02 21:35:37 +0900
commitd99eef8641fe819cb0cc90e7eea0514b769e6389 (patch)
treeb2ef8364016033fc5a81e1490bd64e0b3eefb052 /vpn/renew-cert.sh
parent2a1b87ebcb167cededb22782241900a82d0e8d4d (diff)
Append issuer root CA to cert chain for Android IKEv2 compat
Android 12 native IKEv2 requires the presented cert chain to include a cert that is directly in the device trust store. Fetch the issuer root CA (ISRG Root X1) via AIA from the last intermediate cert and append it to server-chain.crt so strongSwan sends 4 CERT payloads: Leaf + YR1 + Root YR + ISRG Root X1 (trusted on all Android versions). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Diffstat (limited to 'vpn/renew-cert.sh')
-rw-r--r--vpn/renew-cert.sh14
1 files changed, 14 insertions, 0 deletions
diff --git a/vpn/renew-cert.sh b/vpn/renew-cert.sh
index 56cc1d6..230465e 100644
--- a/vpn/renew-cert.sh
+++ b/vpn/renew-cert.sh
@@ -24,6 +24,20 @@ awk '/BEGIN CERTIFICATE/{n++} n==1' certs/server.crt > certs/server-leaf.crt
awk '/BEGIN CERTIFICATE/{n++} n>1' certs/server.crt > certs/server-chain.crt
mv certs/server-leaf.crt certs/server.crt
+# チェーンの最後の証明書の AIA からルート CA を取得して追加する
+# Android 12 の IKEv2 スタックは presented certs の中に trust store のルートが
+# 含まれていることを要求するため、ISRG Root X1 を明示的に送る必要がある
+N=$(grep -c "BEGIN CERTIFICATE" certs/server-chain.crt)
+tmpder=$(mktemp)
+awk -v n="$N" '/BEGIN CERTIFICATE/{c++} c==n,/END CERTIFICATE/{print}' certs/server-chain.crt > "$tmpder"
+AIA_URL=$(openssl x509 -in "$tmpder" -text -noout 2>/dev/null | grep "CA Issuers" | sed 's/.*URI://' | tr -d '[:space:]')
+rm -f "$tmpder"
+if [ -n "$AIA_URL" ]; then
+ echo "ルート CA を追加中: $AIA_URL"
+ curl -sf "$AIA_URL" | openssl x509 -inform DER >> certs/server-chain.crt || \
+ echo "警告: ルート CA の取得をスキップしました"
+fi
+
# 中間 CA 証明書を Caddy で配信(クライアントが手動インストールする場合に使用)
awk '/BEGIN CERTIFICATE/{n++} n==1' certs/server-chain.crt > "$CADDY_DIR/ca.pem"