Tls: bad certificate error from proxy worker when attempting `boundary connect ssh`

After recently upgrading my boundary cluster to 0.7.x I began seeing this error on some connection attempts.

iac/dev » boundary connect ssh -target-scope-name testbuild1 -target-name test-node Error dialing the worker: failed to WebSocket dial: failed to send handshake request: Get "https://54.x.x.103:9202/v1/proxy": remote error: tls: bad certificate kex_exchange_identification: read: Connection reset by peer Connection reset by 127.0.0.1 port 46813 error fetching connection to send session teardown request to worker: Error dialing the worker: failed to WebSocket dial: failed to send handshake request: Get "https://54.x.x.103:9202/v1/proxy": remote error: tls: bad certificate

From my understanding, the handshake between worker and controller should generate a new, valid TLS certificate that the client then validates against the worker’s public_addr settings as the SNI. Nothing in my configuration has changed other than the version upgrade, the database migration ran without any errors and other worker nodes are still allowing connections via their proxy endpoints without encountering this bad certificate error.
All workers use this configuration (except the worker name and IP which change):

worker {
  name = "boundary worker 01"
  description = "boundary worker"
  controllers = [
    "10.1.20.137"
  ]

 public_addr = "54.x.x.103"

}

listener "tcp" {
  address = "10.1.0.104"
  purpose = "proxy"

  tls_disable = "true"
}

kms "transit" {
  purpose            = "worker-auth"
  address            = "https://redacted"
  token              = "REDACTED"
  disable_renewal    = "false"

  // Key configuration
  key_name           = "worker-auth"
  mount_path         = "transit/"

  // TLS Configuration
  tls_skip_verify    = "false"
}
ubuntu@ip-10-1-0-104:~$

and controller config:

controller {
  name = "boundary controller"
  description = "boundary controller"
  database {
    url = "postgresql://redacted@localhost:5432/boundary"
  }
}

listener "tcp" {
  # Should be the address of the NIC that the controller server will be reached on
  address = "10.1.20.137"
  # The purpose of this listener block
  purpose = "api"

  tls_disable = "true"

# Data-plane listener configuration block (used for worker coordination)
listener "tcp" {
  # Should be the IP of the NIC that the worker will connect on
  address = "10.1.20.137"
  # The purpose of this listener
  purpose = "cluster"

  tls_disable = "true"
}


kms "transit" {
  purpose            = "root"
  address            = "https://redacted"
  token              =  "REDACTED "
  disable_renewal    = "false"

  // Key configuration
  key_name           = "root"
  mount_path         = "transit/"

  // TLS Configuration
  tls_skip_verify    = "false"
}

kms "transit" {
  purpose            = "worker-auth"
  address            = "https://redacted"
  token              =  "REDACTED "
  disable_renewal    = "false"

  // Key configuration
  key_name           = "worker-auth"
  mount_path         = "transit/"

  // TLS Configuration
  tls_skip_verify    = "false"
}

What version did you upgrade from ?

Not sure if this matters but in version 0.7.x i had to make sure that
tls_disable = true not tls_disable = “true”

without the quotation…