summaryrefslogtreecommitdiff
path: root/vpn/renew-cert.sh
AgeCommit message (Collapse)AuthorLines
13 daysAppend issuer root CA to cert chain for Android IKEv2 compatyyamashita-0/+14
Android 12 native IKEv2 requires the presented cert chain to include a cert that is directly in the device trust store. Fetch the issuer root CA (ISRG Root X1) via AIA from the last intermediate cert and append it to server-chain.crt so strongSwan sends 4 CERT payloads: Leaf + YR1 + Root YR + ISRG Root X1 (trusted on all Android versions). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
14 daysRemove cert logic duplication from vpn/install.shyyamashita-5/+12
install.sh and renew-cert.sh had identical cert fetch/split code. install.sh now delegates to renew-cert.sh, which in turn calls deploy.sh. Flow: install.sh → renew-cert.sh → deploy.sh Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Serve YE1 intermediate CA cert for Android VPN trust chainyyamashita-1/+7
Android (XREAL Beam Pro) can't validate the server cert because it lacks the Let's Encrypt YE1 hierarchy in its system trust store. The fix: - Serve YE1 cert at https://vpn.yyamashita.com/ca.pem via Caddy - Android VPN profile: set CA certificate to this downloaded cert - install.sh / renew-cert.sh now extract and copy YE1 to caddy dir Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-30Add strongSwan IKEv2 VPN serviceyyamashita-0/+18
- vpn/: Dockerfile, docker-compose.yml, swanctl.conf.tpl, entrypoint.sh - install.sh: Caddy 証明書流用 + コンテナ起動 - renew-cert.sh: 証明書更新 + swanctl ホットリロード - caddy/Caddyfile: vpn.yyamashita.com 追加(Let's Encrypt 証明書取得用) - post-receive: vpn/deploy.sh を追加 - setup-route53.py: WEB_SUBDOMAINS に vpn を追加 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>