Vault CA with Connect and Envoy; certificate problems

Are there any known gotchas for getting Envoy to work with Connect around TLS certificates? I am using Vault as the CA for Connect.

I have something that works completely fine for the builtin Connect proxy. I substitute Envoy and it doesn’t work at all.

Envoy reports things like this on the initiating side:

[2020-05-07 21:57:56.442][842][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:378] [C1] Creating connection to cluster echo.default.dc1.internal.234a8207-5a0c-1745-44e2-b23f21a15104.consul
[2020-05-07 21:57:56.443][842][debug][connection][external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:198][C2] handshake error: 1
[2020-05-07 21:57:56.443][842][debug][connection][external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:226] [C2] TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
[2020-05-07 21:57:56.443][842][debug][connection][external/envoy/source/common/network/connection_impl.cc:192] [C2] closing socket: 0

… and things like this on the receiving side:

[2020-05-07 22:12:13.696][1779][debug][connection][external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:226] [C9] TLS error: 268436504: **SSL** routines:OPEN **SSL** _internal:TLSV1_ALERT_UNKNOWN_CA

… which really doesn’t tell me much other than something has gone horribly wrong at the TLS level.

Any ideas on where to go with this?

Cross-reference to more information