Plugin tls init: Put \"https://example:8200/v1/sys/wrapping/unwrap\": x509: certificate signed by unknown authority"

2022-04-22T01:34:58.785Z [ERROR] secrets.vault-plugin-secrets-tencentcloud.vault-plugin-secrets-tencentcloud_bd7b8af4.vault-plugin-secrets-tencentcloud.vault-plugin-secrets-tencentcloud: plugin tls init: error=“error during token unwrap request: Put “https://vault-0.vault.vault-internal.svc.cluster.local:8200/v1/sys/wrapping/unwrap”: x509: certificate signed by unknown authority”

Did you try

That might work, but I’m uncertain if it’ll be passed along in the environment from the Vault server to plugins it launches.

It would probably be better to put the CA used to sign the Vault server’s certificate, into the OS-level trusted CA certificate bundle on the Vault nodes, so that the default Go SSL code will trust it.

vault plugin register -args the args has example? please show me a example.

What about something like “vault plugin register -ca-cert=/path/to/your/ca.crt” to specify your ca certificate??

I am using my own CA (pfsense) and with some vault commands I had to use the -ca-cert or the -leader-ca-cert to get rid of the same error you’re experiencing

Should you be talking directly to the pod itself? Normally you talk to the ingress and let it pass the TLS along.

This is normal and expected, if api_addr is set according to the default recommendations on High Availability | Vault by HashiCorp.

Personally, I regard it as unfortunate design that plugins use api_addr as part of their initialisation, as it couples local plugin startup to a configuration that affects external clients, but that’s how it currently is in Vault today.