diff --git a/internal/keystore/vault/client.go b/internal/keystore/vault/client.go
index bd6ba750..add5189e 100644
--- a/internal/keystore/vault/client.go
+++ b/internal/keystore/vault/client.go
@@ -7,6 +7,7 @@ package vault
 import (
 	"context"
 	"errors"
+	"fmt"
 	"os"
 	"path"
 	"strings"
@@ -54,9 +55,18 @@ func (c *client) CheckStatus(ctx context.Context, delay time.Duration) {
 	defer ticker.Stop()
 
 	for {
-		status, err := c.Sys().Health()
-		if err == nil {
-			c.sealed.Store(status.Sealed)
+		client, err := c.CloneWithHeaders()
+		if err != nil {
+			// TODO: want to log error properly, however we don't have access to slog, should it be passed down?
+			// other functions running in goroutines like RenewToken throw away errors, so maybe do that here.
+			fmt.Println("vault: failed to clone client with headers:", err)
+		} else {
+			// See vault.Store.Status() for more info on namespace handling.
+			client.ClearNamespace()
+			status, err := client.Sys().HealthWithContext(ctx)
+			if err == nil {
+				c.sealed.Store(status.Sealed)
+			}
 		}
 
 		select {
diff --git a/internal/keystore/vault/vault.go b/internal/keystore/vault/vault.go
index 81483b50..fcd934f8 100644
--- a/internal/keystore/vault/vault.go
+++ b/internal/keystore/vault/vault.go
@@ -164,7 +164,7 @@ func (s *Store) String() string { return "Hashicorp Vault: " + s.config.Endpoint
 func (s *Store) Status(ctx context.Context) (kes.KeyStoreState, error) {
 	// This is a workaround for https://github.com/hashicorp/vault/issues/14934
 	// The Vault SDK should not set the X-Vault-Namespace header
-	// for root-only API paths.
+	// for root-only API paths. Health is also checked in client.CheckStatus.
 	// Otherwise, Vault may respond with: 404 - unsupported path
 	client, err := s.client.CloneWithHeaders()
 	if err != nil {