3 files changed, 18 insertions, 4 deletions
diff --git a/src/conf_mode/pki.py b/src/conf_mode/pki.py
index acea2c9be..724f97555 100755
--- a/src/conf_mode/pki.py
+++ b/src/conf_mode/pki.py
@@ -440,13 +440,21 @@ def generate(pki):
         for name, cert_conf in pki['certificate'].items():
             if 'acme' in cert_conf:
                 certbot_list.append(name)
-                # generate certificate if not found on disk
+                # There is no ACME/certbot managed certificate presend on the
+                # system, generate it
                 if name not in certbot_list_on_disk:
                     certbot_request(name, cert_conf['acme'], dry_run=False)
+                    # Now that the certificate was properly generated we have
+                    # the PEM files on disk. We need to add the certificate to
+                    # certbot_list_on_disk to automatically import the CA chain
+                    certbot_list_on_disk.append(name)
+                # We alredy had an ACME managed certificate on the system, but
+                # something changed in the configuration
                 elif changed_certificates != None and name in changed_certificates:
-                    # when something for the certificate changed, we should delete it
+                    # Delete old ACME certificate first
                     if name in certbot_list_on_disk:
                         certbot_delete(name)
+                    # Request new certificate via certbot
                     certbot_request(name, cert_conf['acme'], dry_run=False)
 
     # Cleanup certbot configuration and certificates if no longer in use by CLI
diff --git a/src/conf_mode/system_login_banner.py b/src/conf_mode/system_login_banner.py
index 5826d8042..cdd066649 100755
--- a/src/conf_mode/system_login_banner.py
+++ b/src/conf_mode/system_login_banner.py
@@ -95,8 +95,12 @@ def apply(banner):
         render(POSTLOGIN_FILE, 'login/default_motd.j2', banner,
             permission=0o644, user='root', group='root')
 
-    render(POSTLOGIN_VYOS_FILE, 'login/motd_vyos_nonproduction.j2', banner,
-        permission=0o644, user='root', group='root')
+    if banner['version_data']['build_type'] != 'release':
+        render(POSTLOGIN_VYOS_FILE, 'login/motd_vyos_nonproduction.j2',
+            banner,
+            permission=0o644,
+            user='root',
+            group='root')
 
     return None
 
diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py
index 71a503e61..2754314f7 100755
--- a/src/conf_mode/vpn_ipsec.py
+++ b/src/conf_mode/vpn_ipsec.py
@@ -64,6 +64,7 @@ swanctl_dir        = '/etc/swanctl'
 charon_conf        = '/etc/strongswan.d/charon.conf'
 charon_dhcp_conf   = '/etc/strongswan.d/charon/dhcp.conf'
 charon_radius_conf = '/etc/strongswan.d/charon/eap-radius.conf'
+charon_systemd_conf = '/etc/strongswan.d/charon-systemd.conf'
 interface_conf     = '/etc/strongswan.d/interfaces_use.conf'
 swanctl_conf       = f'{swanctl_dir}/swanctl.conf'
 
@@ -745,6 +746,7 @@ def generate(ipsec):
     render(charon_conf, 'ipsec/charon.j2', ipsec)
     render(charon_dhcp_conf, 'ipsec/charon/dhcp.conf.j2', ipsec)
     render(charon_radius_conf, 'ipsec/charon/eap-radius.conf.j2', ipsec)
+    render(charon_systemd_conf, 'ipsec/charon_systemd.conf.j2', ipsec)
     render(interface_conf, 'ipsec/interfaces_use.conf.j2', ipsec)
     render(swanctl_conf, 'ipsec/swanctl.conf.j2', ipsec)