Certificate signed by unknown authority - How to troubleshoot for common scenarios – HashiCorp Help Center

Introduction

The certificate signed by unknown authority is a frequent error that appears when users are trying to configure and install their own certificates. This article presents the options on how to troubleshoot the error when you encounter them and the possible solutions.

Problem

There are many instances where you can encounter the following error:

X.509 Certificate Signed by Unknown Authority

It is important to verify and check where this error is observed, and in what scenario. In the Solutions section below, we will present some of the most common scenarios involving this issue and the options to resolve them.

Prerequisites (if applicable)

The prerequisite for this article is there is a TLS connection for the Vault Listener, and that Vault has been configured with self-signed certificates.

Solutions

Note: the issue could also be resolvable if not configured Vault with self-signed certificates. However, we understand that this is often not an option for many users, so therefore the CA cert would need to be supplied to Vault, or installed into the trust store of the machine facing the issue. In the solutions presented below, we will only provide guidelines and options from Vault side. Instructions on importing/installing certs can vary by Operating Systems so please consult with your OS Vendor if you wish to import/install certs into the trust store of your machines.

Below are the most common scenarios where an operator would encounter the certificate signed by unknown authority error:

Scenario 1:

You have encountered the error when using Vault CLI:

Solution: Please refer to the KB x509: certificate signed by unknown authority for details.

Scenario 2:

The error is observed in the Vault Operational Logs, and the error is logging from the listener side of Vault:

Solution: Check if the tls_client_ca_file option is configured. Alternatively, you can disable the client authentication for your listener. Please consult with your security team before disabling the client authentication for your Vault listener.

Scenario 3:

The error is being logged in Vault Operational Logs when trying to join a Vault node to a Vault cluster during vault operator raft join commands. The bad certificate error is observed in the Vault Operational Logs of the listener side of the node it is attempting to join:

Solution: The leader-ca-cert option needs to be passed through when the vault operator raft join command. For example:

$ vault operator raft join "http://127.0.0.2:8200" -leader-ca-cert="..."

Scenario 4:

The error is being logged in the Vault Operational Logs when a vault node is trying to join the vault cluster with an enabled retry_join stanza. The bad certificate error is observed in the Vault Operational Logs on the listener side of the node it is attempting to join:

Solution: Either the leader_ca_cert_file or leader_ca_cert need to be configured. Please refer to the Example Configuration listed under retry_join stanza section in our official docs.

Scenario 5:

The error is being logged in the Vault Operational Logs on the node where Performance or Disaster Recovery Replication is being setup. The bad certificate error is observed in the Vault Operational Logs on the listener side of the node that it is trying to replicate the data from:

Solution: Either the ca_file or ca_path should be configured when enabling the cluster. You may refer to the API docs for Performance Replication and Disaster Recovery for more details. Note that this option can also be set from the UI during the enable step.