From 6c904f7dc9bb4304a42cbe2fef2c18f5c57b1fd9 Mon Sep 17 00:00:00 2001
From: "Rodrigo Rodriguez (Pragmatismo)" <me@rodrigorodriguez.com>
Date: Fri, 9 Jan 2026 10:33:11 -0300
Subject: [PATCH] fix: Remove mTLS requirement from Vault config to fix health
 check failures

- Remove tls_client_ca_file from vault config in installer.rs (Linux and macOS)
- Remove tls_client_ca_file from vault config in bootstrap/mod.rs
- TLS encryption still enabled, just no client certificate required
- Health checks now work with simple -sk curl flags
---
 src/core/bootstrap/mod.rs             | 1 -
 src/core/package_manager/installer.rs | 2 --
 2 files changed, 3 deletions(-)

diff --git a/src/core/bootstrap/mod.rs b/src/core/bootstrap/mod.rs
index 9257d9168..36c90db45 100644
--- a/src/core/bootstrap/mod.rs
+++ b/src/core/bootstrap/mod.rs
@@ -2098,7 +2098,6 @@ listener "tcp" {
   tls_disable   = false
   tls_cert_file = "../../conf/system/certificates/vault/server.crt"
   tls_key_file  = "../../conf/system/certificates/vault/server.key"
-  tls_client_ca_file = "../../conf/system/certificates/ca/ca.crt"
 }
 
 # API settings - use HTTPS
diff --git a/src/core/package_manager/installer.rs b/src/core/package_manager/installer.rs
index 051e3e068..aee1aefdb 100644
--- a/src/core/package_manager/installer.rs
+++ b/src/core/package_manager/installer.rs
@@ -912,7 +912,6 @@ listener "tcp" {
   tls_disable   = false
   tls_cert_file = "{{CONF_PATH}}/system/certificates/vault/server.crt"
   tls_key_file  = "{{CONF_PATH}}/system/certificates/vault/server.key"
-  tls_client_ca_file = "{{CONF_PATH}}/system/certificates/ca/ca.crt"
 }
 
 api_addr = "https://localhost:8200"
@@ -938,7 +937,6 @@ listener "tcp" {
   tls_disable   = false
   tls_cert_file = "{{CONF_PATH}}/system/certificates/vault/server.crt"
   tls_key_file  = "{{CONF_PATH}}/system/certificates/vault/server.key"
-  tls_client_ca_file = "{{CONF_PATH}}/system/certificates/ca/ca.crt"
 }
 
 api_addr = "https://localhost:8200"