I hope everyone is doing well. I am currently facing an issue when attempting to connect with HashiCorp Vault, and I am seeking the help and guidance of the community to resolve it. Here are the details of the problem I am experiencing:
Error when trying to connect:
"Get "https://vault-svcs-test.atlax360.com:8200/v1/sys/internal/ui/mounts/secret": tls: failed to verify certificate: x509: certificate signed by unknown authority"
Configuration Details:
A certificate is installed, and the pods show that it is correctly mounted with the following values in the listener:
"[ERROR] handler: http: TLS handshake error from 192.168.0.24:56804: remote error: tls: bad certificate"
Contents of the secrets:
vault.ca (Intermediate CA Certificate and Root CA Certificate)
-----BEGIN CERTIFICATE-----
MIIEyDCCA7CgAwIBAgIQDPW9BitWAvR6uFAsI8zwZ
//Intermediate CA Certificate
JCqVJUzKoZHm1Lesh3Sz8W2jmdv51b2EQJ8HmA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TAN
// Root CA Certificate)
BgkqhkiG9w0BAQsFADBhMrY=
-----END CERTIFICATE-----
vault.crt (Domain Name Certificate)
-----BEGIN CERTIFICATE-----
MIIH7zCCBtegAwIBAgIQBWHPMHTwOKQ2CpeBxy
// Domain Name Certificate
RAGHDSz/iKsRIofmCMFiirdS1Q==
-----END CERTIFICATE-----
At this point, I believe the issue could be in the configuration of the data within the secrets. If anyone has any ideas or suggestions on how to address this problem, I would greatly appreciate it.
Thank you in advance for any help you can provide!
The certificate has been obtained through DigiCert Company.
If I set the specified variable, it works without any issues, but I would prefer not to skip the TLS verification.
It used to work fine before; the error has occurred after updating the certificate. I’ve conducted tests by setting up Vault from scratch and using other certificates, but it doesn’t recognize the CA in any of the trials. All company certificates are requested through DigiCert, so using a different CA is not an option.
I guess you updated your certificates due to a domain change. Did you follow the same procedure for creating these new certificates as you did with the previous ones? My last guess would be to check for the certificate chain order. Sometimes, if the certificates are not arranged correctly — typically with the server certificate first, followed by the intermediate and then the root certificate — it can lead to errors in verification. Ensuring the correct order might resolve the issue.