BUG: osquery certificate hostname mismatch when FQDN specified for admin console

[royolsen]

After fresh installation of 2.3.100 I specified the following during so-setup iso for standalone configuration:

hostname (so-setup does not accept FQDN): onion access web interface by FQDN: onion.redacted.redacted.no

After setup, osquery agents are unable to enroll, throwing errors like:

Feb 12 23:52:24 redacted launcher: {"caller":"extension.go:162","err":"enrolling host: transport error in enrollment: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for onion, not onion.redacted.redacted.no"","msg":"extension interrupted","severity":"info","ts":"2022-02-12T22:52:24.454379896Z"}

expected result: a) self-signed certificate valid for FQDN (onion.redacted.redacted.no) b) osquery agents able to enroll

actual result: a) self-signed certificate valid only for hostname (onion) and ip b) osquery agents unable to enroll

possible workarounds: a) during setup, specify to use IP address to access web interface b) post setup, generate new self-signed certificate using a documented procedure (not found) b) post setup, replace self-signed certificate with a certificate from trusted CA using a documented procedure (found)

possible fixes: a) have so-setup include CN for FQDN when generating self-signed certificate

[dropbar]

experienced same. adding hostname to fleet_custom_hostname directive in global.sls and regenerating installer with:
salt-call state.apply fleet.event_gen-packages fixed it for me.