Failed to sign CSR

And here’s what Vault gives ,

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7c:a0:a6:bf:49:63:11:46:da:cb:74:31:3b:fe:2d:dd:9a:d4:d3:4a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Istio Root
        Validity
            Not Before: Sep 12 23:25:47 2019 GMT
            Not After : Oct 14 23:26:17 2019 GMT
        Subject: CN=Istio Intermediate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9e:9b:4f:d2:6d:7d:fd:f6:bb:af:9a:6e:e1:e0:
                    98:37:79:ff:4f:cd:2b:f1:21:28:88:44:e5:bf:23:
                    4d:21:6d:cc:b7:6e:96:ab:e9:ce:5f:56:17:7c:c1:
                    48:64:c1:54:05:f1:45:37:b2:bf:da:9b:09:43:4c:
                    4b:b9:31:6b:05:b7:11:6c:25:e3:99:bc:c7:d9:3a:
                    6b:2a:ca:0f:7e:0b:c9:10:7b:1c:e0:99:b7:21:e5:
                    09:31:27:ec:b0:07:f6:1c:f7:3f:c4:b1:8e:cf:bf:
                    89:40:79:c3:db:2d:ca:21:15:44:b1:9b:ac:74:e7:
                    51:ef:95:32:cc:f8:a8:8c:8a:96:71:e3:8c:44:6e:
                    3e:a5:bf:cb:93:95:73:9b:06:4b:ac:09:21:05:2c:
                    4c:44:15:77:17:b8:44:65:d6:ca:e2:5c:5a:c6:0c:
                    c3:2a:a3:d3:f0:10:41:d8:58:ff:23:ff:f3:ac:32:
                    78:14:44:5b:d2:de:81:b4:97:5e:47:6b:e3:61:22:
                    58:10:3f:48:88:38:b7:90:66:43:5e:64:fe:41:b5:
                    8c:89:7a:36:bb:76:04:0b:48:41:43:d1:08:47:c7:
                    dd:a1:c9:fd:cc:4d:88:b8:df:b6:b4:81:12:f9:00:
                    66:bb:9e:7f:7f:65:6e:5c:38:12:16:a4:ce:63:b1:
                    7b:e1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                6D:14:91:45:F7:B4:A9:AF:EC:38:CE:7B:A0:5B:50:A3:DC:34:4A:8D
            X509v3 Authority Key Identifier:
                keyid:9F:7F:F9:A0:44:DB:82:52:D6:A8:76:9E:D6:B5:EF:29:75:97:CB:11

            Authority Information Access:
                CA Issuers - URI:https://x.x.x.x/v1/istio_ca/ca

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:https://x.x.x.x/v1/istio_ca/crl

    Signature Algorithm: sha256WithRSAEncryption
         16:40:95:67:78:57:45:ae:85:82:60:31:81:0c:de:a4:c5:73:
         3a:4b:4d:bd:54:5c:19:29:b0:be:c4:af:08:4b:95:2d:59:91:
         4d:1e:d9:33:2e:86:d9:15:dd:6a:c0:62:da:6a:e0:6b:05:7d:
         20:f2:74:4a:d4:25:ed:3c:11:0b:50:9c:38:ed:8b:6e:13:cf:
         f1:a9:e8:5b:6e:3f:13:6b:b8:79:fc:71:63:42:99:a8:fe:e3:
         fa:de:ec:06:52:b3:19:77:3d:16:e9:b5:18:44:40:84:55:5d:
         9d:82:cf:e4:6f:f5:af:3d:43:fb:f0:ae:48:b9:cb:c1:15:81:
         eb:37:c8:af:24:6d:5d:5a:23:38:8f:c7:69:49:72:c0:3f:e7:
         35:e4:98:76:ed:e1:33:b1:2a:0d:51:d8:de:97:42:b9:23:8b:
         dd:4e:f4:f9:85:19:c5:50:49:d8:2e:63:3a:b9:b8:d9:bb:18:
         90:d0:ff:36:b8:95:7c:e4:5a:0d:52:4b:c2:ff:da:f6:cc:51:
         74:99:98:a2:0f:e6:f4:a7:d5:44:5f:92:45:17:7b:8e:8a:b7:
         54:42:42:88:2d:66:d8:f4:08:f1:3d:4f:23:e2:d3:00:05:82:
         0c:9b:96:8a:30:f9:88:ff:ba:bc:d4:55:26:59:57:5f:eb:cb:
         e3:c7:95:31

The /cert endpoint printout in your post does not seem to contain the content of the certificate chain received by Envoy. You may need to add certificate-printing logging statements to Envoy code to dump the actual certificate chain received by Envoy.

hi, did you find the root cause, i’m facing the sam problem