From 47e47957cc363511d1de5f78caff7ff77ed7d0c7 Mon Sep 17 00:00:00 2001 From: yyamashita Date: Wed, 1 Jul 2026 10:48:36 +0900 Subject: Serve YE1 intermediate CA cert for Android VPN trust chain Android (XREAL Beam Pro) can't validate the server cert because it lacks the Let's Encrypt YE1 hierarchy in its system trust store. The fix: - Serve YE1 cert at https://vpn.yyamashita.com/ca.pem via Caddy - Android VPN profile: set CA certificate to this downloaded cert - install.sh / renew-cert.sh now extract and copy YE1 to caddy dir Co-Authored-By: Claude Sonnet 4.6 --- caddy/Caddyfile | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'caddy') diff --git a/caddy/Caddyfile b/caddy/Caddyfile index 66a9d05..46a6c92 100644 --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -44,5 +44,12 @@ blog.yyamashita.com { vpn.yyamashita.com { header Referrer-Policy "no-referrer" header X-Robots-Tag "noindex, nofollow" + route /ca.pem { + header Content-Type "application/x-pem-file" + header Content-Disposition "attachment; filename=\"vpn-ca.pem\"" + file_server { + root /etc/caddy + } + } respond "VPN Server" 200 } -- cgit v1.2.3