| Age | Commit message (Collapse) | Author | Lines |
|
Android 12 native IKEv2 requires the presented cert chain to include
a cert that is directly in the device trust store. Fetch the issuer
root CA (ISRG Root X1) via AIA from the last intermediate cert and
append it to server-chain.crt so strongSwan sends 4 CERT payloads:
Leaf + YR1 + Root YR + ISRG Root X1 (trusted on all Android versions).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
|
install.sh and renew-cert.sh had identical cert fetch/split code.
install.sh now delegates to renew-cert.sh, which in turn calls deploy.sh.
Flow: install.sh → renew-cert.sh → deploy.sh
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
|
Android (XREAL Beam Pro) can't validate the server cert because it lacks
the Let's Encrypt YE1 hierarchy in its system trust store. The fix:
- Serve YE1 cert at https://vpn.yyamashita.com/ca.pem via Caddy
- Android VPN profile: set CA certificate to this downloaded cert
- install.sh / renew-cert.sh now extract and copy YE1 to caddy dir
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
|
- vpn/: Dockerfile, docker-compose.yml, swanctl.conf.tpl, entrypoint.sh
- install.sh: Caddy 証明書流用 + コンテナ起動
- renew-cert.sh: 証明書更新 + swanctl ホットリロード
- caddy/Caddyfile: vpn.yyamashita.com 追加(Let's Encrypt 証明書取得用)
- post-receive: vpn/deploy.sh を追加
- setup-route53.py: WEB_SUBDOMAINS に vpn を追加
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|