Vault status always failing with "Bad certificate"

Vault 1.2.0

After I enabled “tls_require_and_verify_client_cert” at listener config, now the “vault status xxx” always shows me error:

Error checking seal status: Get remote error: tls: bad certificate

I am using various combination for command, such as:
vault status -ca-cert=/tmp/CA_of_server -client-cert=/tmp/cert.pem -client-key=/tmp/key.pem

where /tmp/CA_of_server is the CA of server, client-cert and client-key is the vault status command uses. Any suggestion for what is my problem and how to debug?

More information:
For the server listener “tcp”, I have configured this way:

tls_cert_file = “/usr/files/server-cert.pem”
tls_key_file = “/usr/files/server-key.pem”
tls_client_ca_file = “/usr/files/truststore.pem”
tls_require_and_verify_client_cert = 1


Where the “tls_client_ca_file” is a PEM file which have multiple CAs concatenated. I think this is to check the client certificate, sicne different clients can have different CAs, so I put all supported CAs inside.
Here if I set the “tls_require_and_verify_client_cert = 0”, e.g, not verify client cert, everything works fine.

On the “vault status” command, I am running command from same pod, and using this:

vault status -client-cert=/usr/files/server-cert.pem -client-key=/usr/files/server-key.pem -ca-cert=/tmp/single_CA_signed_server_cert.pem

FYI, for testing purpose, now the vault status command uses the same cert/key as the server is using, and the “ca_cert” is the ICA who signed the server-cert.pem. I think things matching up properly, but I always get “remote error: tls: bad certificate” error.

Just an update:

For the “vault status” command, I re-generated a pair of cert/key which is not the server cert vault is using, and use that cert/key, it works now.

Also it is not only “vault status” specific, it is general for all vault client calls.