Skip to content
Latchkey

Vault "x509: certificate signed by unknown authority" in CI

The TLS handshake to Vault failed because the runner cannot verify the server certificate chain. Vault is often fronted by a private or internal CA that the runner does not trust by default.

What this error means

Any HTTPS call to Vault fails with "tls: failed to verify certificate: x509: certificate signed by unknown authority".

vault
Error making API request.

URL: GET https://vault.example.com/v1/sys/health
Code: -1. Errors:

* Get "https://vault.example.com/v1/sys/health": tls: failed to verify certificate:
  x509: certificate signed by unknown authority

Common causes

The runner trust store lacks the signing CA

Vault presents a certificate from an internal CA not in the runner's system trust bundle, so verification fails.

VAULT_CACERT is not provided to the client

When the CA is private, the client needs to be pointed at the CA file with VAULT_CACERT; without it, no chain validates.

How to fix it

Point the client at the CA bundle

  1. Write the CA certificate to a file from a CI secret.
  2. Set VAULT_CACERT to that path so the client validates the chain.
  3. Re-run; verification should now succeed.
bash
echo "$VAULT_CA_PEM" > /tmp/vault-ca.pem
export VAULT_CACERT=/tmp/vault-ca.pem
vault status

Pass the CA to hashicorp/vault-action

The action accepts the CA inline so you do not disable verification.

.github/workflows/ci.yml
- uses: hashicorp/vault-action@v3
  with:
    url: ${{ secrets.VAULT_ADDR }}
    caCertificate: ${{ secrets.VAULT_CA_PEM }}
    method: approle
    roleId: ${{ secrets.VAULT_ROLE_ID }}
    secretId: ${{ secrets.VAULT_SECRET_ID }}

How to prevent it

  • Distribute the internal CA to CI via a secret and set VAULT_CACERT.
  • Avoid VAULT_SKIP_VERIFY=true; it disables TLS validation entirely.
  • Rotate and update the CA secret before the certificate chain changes.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →