Vault "x509: certificate signed by unknown authority" in CI
The TLS handshake to Vault failed because the runner cannot verify the server certificate chain. Vault is often fronted by a private or internal CA that the runner does not trust by default.
What this error means
Any HTTPS call to Vault fails with "tls: failed to verify certificate: x509: certificate signed by unknown authority".
vault
Error making API request.
URL: GET https://vault.example.com/v1/sys/health
Code: -1. Errors:
* Get "https://vault.example.com/v1/sys/health": tls: failed to verify certificate:
x509: certificate signed by unknown authorityCommon causes
The runner trust store lacks the signing CA
Vault presents a certificate from an internal CA not in the runner's system trust bundle, so verification fails.
VAULT_CACERT is not provided to the client
When the CA is private, the client needs to be pointed at the CA file with VAULT_CACERT; without it, no chain validates.
How to fix it
Point the client at the CA bundle
- Write the CA certificate to a file from a CI secret.
- Set
VAULT_CACERTto that path so the client validates the chain. - Re-run; verification should now succeed.
bash
echo "$VAULT_CA_PEM" > /tmp/vault-ca.pem
export VAULT_CACERT=/tmp/vault-ca.pem
vault statusPass the CA to hashicorp/vault-action
The action accepts the CA inline so you do not disable verification.
.github/workflows/ci.yml
- uses: hashicorp/vault-action@v3
with:
url: ${{ secrets.VAULT_ADDR }}
caCertificate: ${{ secrets.VAULT_CA_PEM }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}How to prevent it
- Distribute the internal CA to CI via a secret and set
VAULT_CACERT. - Avoid
VAULT_SKIP_VERIFY=true; it disables TLS validation entirely. - Rotate and update the CA secret before the certificate chain changes.
Related guides
Vault "connection refused" / "no such host" (VAULT_ADDR) in CIFix Vault "connection refused" or "no such host" in CI - VAULT_ADDR is unset, wrong, or points at a host the…
Vault "Error making API request ... Code: 403" in CIFix Vault "Error making API request ... Code: 403" in CI - the token authenticated but is not authorized for…
Vault "context deadline exceeded" (timeout) in CIFix Vault "context deadline exceeded" in CI - the client timed out reaching Vault because of network latency,…