From 71e307963829e7a4a7f7277829a2a60791747cb2 Mon Sep 17 00:00:00 2001 From: yyamashita Date: Thu, 2 Jul 2026 21:43:55 +0900 Subject: Force send ISRG Root X1 via local.cacerts for Android compat strongSwan skips self-signed root CAs from CERT payloads by default. Setting cacerts = chain-3.crt in the local section forces it to include ISRG Root X1 explicitly so Android 12 can complete trust chain validation. Co-Authored-By: Claude Sonnet 4.6 --- vpn/swanctl.conf.tpl | 1 + 1 file changed, 1 insertion(+) (limited to 'vpn') diff --git a/vpn/swanctl.conf.tpl b/vpn/swanctl.conf.tpl index 1fc84df..1455bcf 100644 --- a/vpn/swanctl.conf.tpl +++ b/vpn/swanctl.conf.tpl @@ -8,6 +8,7 @@ connections { local { auth = pubkey certs = server.crt + cacerts = chain-3.crt id = ${VPN_DOMAIN} } -- cgit v1.2.3