Comment 3 for bug 1923067

Might be completely unrelated, but happens at the same point and has the same resolution, so...

juju 3.2-beta1.1-5069b69, vault charm 1.8/stable rev 100

Immediately after...
  juju run vault/leader authorize-charm token=$TOKEN
... I get:
Unit Workload Agent Machine Public address Ports Message
vault/0 blocked idle 0/lxd/16 [REDACTED] 8200/tcp Vault cannot authorize approle
vault/1* blocked idle 1/lxd/16 [REDACTED] 8200/tcp Missing CA cert
vault/2 blocked idle 2/lxd/16 [REDACTED] 8200/tcp Vault cannot authorize approle

So I...
  juju run vault/{0,2} restart
... and then unseal those two instances, and I get:
Unit Workload Agent Machine Public address Ports Message
vault/0 active idle 0/lxd/16 [REDACTED] 8200/tcp Unit is ready (active: true, mlock: disabled)
vault/1* blocked idle 1/lxd/16 [REDACTED] 8200/tcp Missing CA cert
vault/2 active idle 2/lxd/16 [REDACTED] 8200/tcp Unit is ready (active: true, mlock: disabled)

... and then I can continue with generating CA cert.