MIR-936

Server TLS cert missing external IP after restart (regression from runtime#708)

Done public

phinze Opened Mar 30, 2026 Updated Mar 30, 2026

Discover public IPs via netcheck for TLS cert SANs

After upgrading Garden to main:c35913a, the auto-generated server TLS cert no longer includes the external IP in its SANs. Clients connecting via the external IP get:

x509: certificate is valid for 127.0.0.1, ::1, 10.128.0.37, 10.8.95.0, 10.8.95.1, not 34.122.229.118

Regression from mirendev/runtime#708. Previous version (main:c55ae16d) had the external IP in the cert. Cert regeneration on restart is now only picking up internal/overlay IPs.