Clarification on TLS and server name

Hello. I’ve just attempted to enable TLS and am failing hostname verification. I have a wildcard cert for our domain *.domain.tld and am presenting that. Consul finds the hostname correctly as consul-1.domain.tld, but verification fails with certificate is valid for *.domain.tld, not"

I have as part of my configuration:

"domain": "domain.tld"
"node_name": "consul-1"

The hostname is set on the host as consul-1.domain.tld.

What is generating this server.${az}.${domain} name being passed to the verification step?

Evidently verify_server_hostname is my cuplrit here. Removing that resolved my issue.

It’s also worth noting for future readers that the domain parameter is used to declare the authoritative domain for hostname resolution, and is not germane to the SNI being presented.