Using ACM with Vault TLS

Curious if anyone has succeeded in getting HA Vault Server backed by Consul using AWS Certificate Manager.

The issue I am running into is that you cannot download an ACM certificate’s keys, and if you enable TLS in the vault server config it requires that the certs and keys be on the host in this config block:

# /etc/vault/server.hcl
listener "tcp" {
  address       = ""
  tls_disable   = 0
  tls_cert_file = "/etc/ssl/certs/${fqdn}.crt"
  tls_key_file  = "/etc/ssl/certs/${fqdn}.key"

We would like to use ACM to generate the cert for the HTTPS load balancer that we are putting in front of our vault servers, but it seems that vault requires the load balancer certificate be the same cert that is loaded on the host, which we cannot do with ACM.

Has anyone worked this out? We would much prefer to not use a self signed cert for HTTPS and have to install that on everyone’s laptops.


If you are using an ALB in front of Vault it can be configured to use an ACM certificate. The connection between the ALB and Vault can then be protected using whatever TLS certificate you like (e.g. self-signed) as the ALB doesn’t check the backend certificate chain.

If you are talking about using a NLB in front of Vault you would need to use a different certificate as ACM cannot be used outside of a limited number of AWS resources (which doesn’t include downloading certificates to EC2, ECS or EKS instances).

Thanks! This is an inherited module and it is still using a classic ELB. I’ll try switching over to an ALB and see if we can get it functional. Thanks for your help!

In my case I am using ALB in front of vault and it is using ACM. For vault TLC I generated self signed certificate in my local environment and using them in vault config file.

listener "tcp" {
  address     = ""
  tls_disable = false
  tls_cert_file = "/etc/cert/vault-cert.pem"
  tls_key_file = "/etc/cert/vault-key.pem"

when I restart my vault service and check for vault status I am getting an error says

Code: 400. Raw Message:

Client sent an HTTP request to an HTTPS server.

Can you help where I am making a mistake?

You need to check you are using https:// in the URL on the client side. Check the command line or environment variable VAULT_ADDR