When a LineageOS 16 mobile runs a OpenVPN to connect to web services on private IPs, HTTPS certificates cannot be issued by Let’s Encrypt because they don’t have access to the machine. They are created with the Enough Certificate Authority instead. Since this Certificate Authority is not known by Android, it must be added manually, as follows.
Assuming the certificate authority is in the file ca.crt and the mobile is connected to the machine via a USB cable, with root access enabled in the developer options:
$ openssl x509 -inform PEM -subject_hash_old -in ca.crt | head -1 d3b1ba00 $ cp ca.crt d3b1ba00.0 $ adb push d3b1ba00.0 /sdcard/d3b1ba00.0 $ adb root restarting adbd as root $ adb shell # mount -o rw,remount /system # mv /sdcard/d3b1ba00.0 /system/etc/security/cacerts/d3b1ba00.0 # chown root:root /system/etc/security/cacerts/d3b1ba00.0 # chmod 644 /system/etc/security/cacerts/d3b1ba00.0 # reboot
Although it should be possible to do the same via the security settings, it apparently does something else (I’m not sure what exactly) and does not help if the goal is to navigate https URLs with certificates originating from this authority.