Getting "TLS error : x509 certificate signed by unknown authority" for docker "hashicorp/vault" image

Vault
1

Hi Team,

We wanted to upgrade our vault version to a version higher than 1.13.3. We were using the old vault docker repo image : vault : “Docker” (only supports vault version till 1.13.3) which is now deprecated and recommends to use the new docker repo image - hashicorp/vault : “Docker” .

When we are trying to use the new repository vault image (making it the master in existing cluster) , we are getting the tls error. We have tls enabled for our existing vault and the new one is also created the required certs and keys (verified by logging into the docker)

Below is our config file -

backend "consul" {
  address = "127.0.0.1:8500"
  path = "vault/dev-2/"
  scheme = "http"
  token = "<token-here>"
  cluster_addr = "https://<ip-here>:8201"
  redirect_addr = "https://<ip-here>:8200"
}
 
listener "tcp" {
  address = "0.0.0.0:8200"
  cluster_address = "0.0.0.0:8201"
  tls_cert_file = "/vault/config/cert.pem"
  tls_key_file = "/vault/config/key.pem"
}
 
ui = true

The docker hub documentation doesn’t suggest any steps to be performed differently while moving from vault (Docker) to hashicorp/vault (Docker)

Can anyone help here ?

2

The “x509 certificate signed by unknown authority” error often means the system doesn’t trust the CA that issued your TLS certificate. To fix this:

  1. Check that your cert.pem and key.pem are correctly configured in Vault.
  2. Ensure the CA’s certificate is included in the client’s trust store or Vault’s configuration if necessary.
  3. Verify the entire certificate chain is correct, including any intermediate CAs.
  4. Confirm TLS version and cipher suite compatibility.
  5. If using a cluster, ensure all Vault instances are on the same version.

Consider generating new certificates with a known CA or a self-signed certificate, ensuring the CA certificate is distributed accordingly.