Bug: Talos cannot reach image-cache due to certificate error

[shanduur]

I just tried the above steps on a node without internet access (it could only access a local LAN with my machine).

I applied the image-cache-patch with certificate information

talosctl apply -f image-cache-patch.yaml -i -n 192.168.10.9

And then generated a config and a mirrors patch

machine:
  time:
    disabled: true
  registries:
    mirrors:
      ghcr.io:
        endpoints:
          - https://192.168.10.19:5009
          - https://ghcr.io/v2/
      registry.k8s.io:
        endpoints:
          - https://192.168.10.19:5009
          - https://registry.k8s.io/v2/

I then applied the config and patch to the machine

talosctl apply -f controlplane.yaml -p '@mirrors.yaml' -i -n 192.168.10.9

I can see in the cache-serve logs

2025/11/19 15:44:03 http: TLS handshake error from 192.168.10.9:46966: remote error: tls: bad certificate

When trying to verify the connection from a remote system it doesn't appear to be responding

curl -vI https://192.168.10.19:5009 2>&1
...
Could not connect to server

Originally posted by @rothgar in #12257

[rothgar]

I tried the same thing built from main with the following commands and config

talosctl image cache-cert-gen --advertised-address 192.168.10.19 --advertised-name ghcr.io,registry.k8s.io
talosctl image cache-serve --address 192.168.10.19:5009 --image-cache-path ./image-cache.flat \
  --tls-cert-file tls.crt --tls-key-file tls.key

I verified the DNS signing on the cert

openssl s_client -connect 192.168.10.19:5009 </dev/null 2>/dev/null | openssl x509 -noout -text | grep -A 10 "Subject Alternative Name"         
            X509v3 Subject Alternative Name:                                                                                                      
                DNS:ghcr.io, DNS:registry.k8s.io, IP Address:192.168.10.19

Then I applied the ca cert patch and the following patch with mirrors

talosctl apply -f image-cache-patch.yaml -i -n 192.168.10.9
talosctl apply -f controlplane.yaml -p '@mirrors.yaml' -i -n 192.168.10.9

The mirrors.yaml patch is

machine:
  time:
    disabled: true
  registries:
    mirrors:
      ghcr.io:
        endpoints:
          - https://192.168.10.19:5009
      registry.k8s.io:
        endpoints:
          - https://192.168.10.19:5009
cluster:
  discovery:
    enabled: true
    registries:
      service:
        disabled: true

It seems like the root cert or certificate chain is not being applied properly