Seeking Assistance with TLS Connection Error in HashiCorp Vault

Hello HashiCorp Vault community,

I hope everyone is doing well. I am currently facing an issue when attempting to connect with HashiCorp Vault, and I am seeking the help and guidance of the community to resolve it. Here are the details of the problem I am experiencing:

Error when trying to connect:

"Get "": tls: failed to verify certificate: x509: certificate signed by unknown authority"

Configuration Details:

  • A certificate is installed, and the pods show that it is correctly mounted with the following values in the listener:
    tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
    tls_key_file  = "/vault/userconfig/vault-server-tls/vault.key"
  • Additionally, the environment variable VAULT_CACERT is set as:
VAULT_CACERT: /vault/userconfig/vault-server-tls/

Error in the injector logs:

"[ERROR] handler: http: TLS handshake error from remote error: tls: bad certificate"

Contents of the secrets:

  1. (Intermediate CA Certificate and Root CA Certificate)
//Intermediate CA Certificate
// Root CA Certificate)
  1. vault.crt (Domain Name Certificate)
// Domain Name Certificate

At this point, I believe the issue could be in the configuration of the data within the secrets. If anyone has any ideas or suggestions on how to address this problem, I would greatly appreciate it.

Thank you in advance for any help you can provide!

Best regards,
Jesus Contreras

Hello Jesus,

it think it stems from your certificates. Did you create the certificates by yourself, or did you create them with a Certificate Authority (CA) ?

Best regards Lukas

Hello Lukas,

We’ve received the certificate from a CA. I obtained the root and intermediate certificates through the one they sent us.

The process I followed to extract the certificates once the PFX file was received:

For the main certificate:

openssl pkcs12 -in file.pfx -out certificate.crt -clcerts -nokeys

For the root and intermediate certificates:

openssl pkcs12 -in file.pfx -nodes -nokeys -cacerts -out cacertificate.pem

Thanks in advance for your help!

Where did you obtain your certificate?

Can you connect via the CLI using the TLS skip verify option? To do this, set the following in your environment variable:


You might also consider trying a certificate from a different CA.

The certificate has been obtained through DigiCert Company.

If I set the specified variable, it works without any issues, but I would prefer not to skip the TLS verification.

It used to work fine before; the error has occurred after updating the certificate. I’ve conducted tests by setting up Vault from scratch and using other certificates, but it doesn’t recognize the CA in any of the trials. All company certificates are requested through DigiCert, so using a different CA is not an option.

Thank you!

I guess you updated your certificates due to a domain change. Did you follow the same procedure for creating these new certificates as you did with the previous ones? My last guess would be to check for the certificate chain order. Sometimes, if the certificates are not arranged correctly — typically with the server certificate first, followed by the intermediate and then the root certificate — it can lead to errors in verification. Ensuring the correct order might resolve the issue.

Yes, I have followed the same procedure throughout, but something has changed, and I can’t seem to pinpoint it.

Currently, the order of the certificate chain is as follows:


  1. Intermediate CA Certificate
  2. Root CA Certificate


  1. Domain Certificate only.

Is this the correct order?

Thanks in advance.

The order seems correct to me. I’m not sure where else the error could be coming from.