diff --git a/go/secretsmgr/secretsmgr.go b/go/secretsmgr/secretsmgr.go
index 83c324c1dc..17beb87193 100644
--- a/go/secretsmgr/secretsmgr.go
+++ b/go/secretsmgr/secretsmgr.go
@@ -12,6 +12,8 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"net"
+	"net/http"
 	"os"
 	"os/exec"
 	"os/user"
@@ -612,14 +614,27 @@ func checkAndRenewACMECertificates(ctx context.Context, c *vapi.Client) bool {
 func main() {
 	flag.Parse()
 
-	cfg := vapi.DefaultConfig()
-	cfg.Address = "https://vault.int.lukegb.com"
-	cfg.AgentAddress = "unix:///run/vault-agent/sock"
-	cfg.MaxRetries = 0
-	cfg.Timeout = 15 * time.Minute
-	c, err := vapi.NewClient(cfg)
+	d := &net.Dialer{
+		Timeout:   30 * time.Second,
+		KeepAlive: 30 * time.Second,
+	}
+	agentPath := strings.TrimPrefix(*vaultAgentAddress, "unix://")
+	agentDialer := func(ctx context.Context, network, addr string) (net.Conn, error) {
+		if !strings.HasPrefix(*vaultAgentAddress, "unix://") {
+			return http.DefaultClient.Transport.(*http.Transport).DialContext(ctx, network, addr)
+		}
+		// Ignore what they want.
+		return d.DialContext(ctx, "unix", agentPath)
+	}
+
+	vcfg := vapi.DefaultConfig()
+	vcfg.AgentAddress = "http://vault-agent"
+	vcfg.MaxRetries = 0
+	vcfg.Timeout = 15 * time.Minute
+	vcfg.HttpClient.Transport.(*http.Transport).DialContext = agentDialer
+	c, err := vapi.NewClient(vcfg)
 	if err != nil {
-		log.Exitf("failed to create vault client: %v", err)
+		log.Exitf("creating vault client against %v: %v", *vaultAgentAddress, err)
 	}
 
 	ctx := context.Background()