Certificate Verification Error with Vault Using Consul over HTTPS Despite Valid Certificates

Describe the bug When using Vault with Consul as the storage backend over HTTPS, Vault continuously logs a

"tls: failed to verify certificate: x509: certificate signed by unknown authority"

error. This error occurs despite correct configuration, and even when the certificates are verified manually using tools like curl, for example:

sudo -u vault curl --cacert /etc/consul.d/consul-agent-ca.pem --cert /etc/consul.d/velp-server-consul-0.pem --key /etc/consul.d/velp-server-consul-0-key.pem -H "X-Consul-Token: [TOKEN]" https://consul.service.consul:8501/v1/kv/vault/core/migration

It works just fine, but when I try to run the server, I get this:

sudo -u vault /usr/bin/vault server -config=/etc/vault.d/vault.hcl -log-level=debug -dev

WARNING! Unable to read storage migration status.
2023-09-30T21:23:37.325+0300 [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2023-09-30T21:23:37.325+0300 [DEBUG] storage.consul: config path set: path=vault/
2023-09-30T21:23:37.325+0300 [DEBUG] storage.consul: config address set: address=consul.service.consul:8501
2023-09-30T21:23:37.325+0300 [DEBUG] storage.consul: config scheme set: scheme=https
2023-09-30T21:23:37.325+0300 [DEBUG] storage.consul: config token set
2023-09-30T21:23:37.325+0300 [DEBUG] storage.consul: configured TLS
2023-09-30T21:23:37.342+0300 [WARN]  storage migration check error: error="Get \"https://consul.service.consul:8501/v1/kv/vault/core/migration\": tls: failed to verify certificate: x509: certificate signed by unknown authority"

To Reproduce

Set up Vault with Consul as the storage backend, using HTTPS for communication.
Configure TLS for Vault and Consul using the respective certificates.
Start the Vault server.
Observe the continuous logging of the error "tls: failed to verify certificate: x509: certificate signed by unknown authority", even though tools like curl verify the certificates successfully.

Expected behavior Vault should successfully connect to Consul over HTTPS without any certificate verification errors, especially when the certificates have been verified to be correct.

Environment:

Vault Server Version: 1.15.0
Vault CLI Version: 1.15.0
Server Operating System/Architecture: Ubuntu 22.04
Consul Server Version: 1.16.2

Vault server configuration file(s):

# Enable UI for demo purposes
ui = true

# Cluster addresses
cluster_addr = "https://[IP_ADDRESS]:8201"
api_addr     = "https://[IP_ADDRESS]:8200"

# Consul storage backend
storage "consul" {
  address = "consul.service.consul:8501"
  scheme = "https"
  path    = "vault/"
  token   = "[TOKEN]"

  ca_file   = "/etc/consul.d/consul-agent-ca.pem"
  cert_file = "/etc/consul.d/velp-server-consul-0.pem"
  key_file  = "/etc/consul.d/velp-server-consul-0-key.pem"
}

# TLS Listener
listener "tcp" {
  address            = "0.0.0.0:8200"
  tls_cert_file      = "/opt/vault/tls/vault-cert.pem"
  tls_key_file       = "/opt/vault/tls/vault-key.pem"
  tls_client_ca_file = "/opt/vault/tls/vault-ca.pem"
}

Additional context We verified that the certificates were correctly set up by successfully connecting to the Consul server using curl with the specified certificates. The error seems to be specific to Vault's interaction with Consul over HTTPS. Although I'm very very new on the HashiCorp stack, so I might be missing something simple?

hashicorp / vault

Certificate Verification Error with Vault Using Consul over HTTPS Despite Valid Certificates #23427