I just tried this suggestion from Consul Auto Encrypt: Client Certificate says "x509: certificate signed by unknown authority" · Issue #8636 · hashicorp/consul · GitHub
curl -k https://127.0.0.1:8501/v1/connect/ca/roots | jq -r '.Roots[]."RootCert"' >> /ca.cert
export CONSUL_CACERT=/ca.cert
It works on Consul client. I can run consul members now without issues. But is this the only way to solve this? Is my CA cert generated by consul tls ca create no longer used when the auto_encrypt is enable?