From d99eef8641fe819cb0cc90e7eea0514b769e6389 Mon Sep 17 00:00:00 2001 From: yyamashita Date: Thu, 2 Jul 2026 21:35:37 +0900 Subject: Append issuer root CA to cert chain for Android IKEv2 compat Android 12 native IKEv2 requires the presented cert chain to include a cert that is directly in the device trust store. Fetch the issuer root CA (ISRG Root X1) via AIA from the last intermediate cert and append it to server-chain.crt so strongSwan sends 4 CERT payloads: Leaf + YR1 + Root YR + ISRG Root X1 (trusted on all Android versions). Co-Authored-By: Claude Sonnet 4.6 --- vpn/renew-cert.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/vpn/renew-cert.sh b/vpn/renew-cert.sh index 56cc1d6..230465e 100644 --- a/vpn/renew-cert.sh +++ b/vpn/renew-cert.sh @@ -24,6 +24,20 @@ awk '/BEGIN CERTIFICATE/{n++} n==1' certs/server.crt > certs/server-leaf.crt awk '/BEGIN CERTIFICATE/{n++} n>1' certs/server.crt > certs/server-chain.crt mv certs/server-leaf.crt certs/server.crt +# チェーンの最後の証明書の AIA からルート CA を取得して追加する +# Android 12 の IKEv2 スタックは presented certs の中に trust store のルートが +# 含まれていることを要求するため、ISRG Root X1 を明示的に送る必要がある +N=$(grep -c "BEGIN CERTIFICATE" certs/server-chain.crt) +tmpder=$(mktemp) +awk -v n="$N" '/BEGIN CERTIFICATE/{c++} c==n,/END CERTIFICATE/{print}' certs/server-chain.crt > "$tmpder" +AIA_URL=$(openssl x509 -in "$tmpder" -text -noout 2>/dev/null | grep "CA Issuers" | sed 's/.*URI://' | tr -d '[:space:]') +rm -f "$tmpder" +if [ -n "$AIA_URL" ]; then + echo "ルート CA を追加中: $AIA_URL" + curl -sf "$AIA_URL" | openssl x509 -inform DER >> certs/server-chain.crt || \ + echo "警告: ルート CA の取得をスキップしました" +fi + # 中間 CA 証明書を Caddy で配信(クライアントが手動インストールする場合に使用) awk '/BEGIN CERTIFICATE/{n++} n==1' certs/server-chain.crt > "$CADDY_DIR/ca.pem" -- cgit v1.2.3