Health checks broken since consul 1.10 client update if not using tls_server_name

[rsommer]

Overview of the Issue

After upgrading clients to consul 1.10, health checks started to fail because of certificate errors like
Get \"https://node01.domain.tld:443/api/health\": x509: certificate is valid for *.domain.tld, not node01.
Downgrading to consul 1.9.7 fixes the checks. Adding tls_server_name to the check definition also fixes the check.

Reproduction Steps

1. Register a service using HTTPS (and possible a wildcard certificate)

{
  "service": {
    "id": "node",
    "name": "node",
    "address": "node01.domain.tld",
    "port": 443,
    "checks": [
      {
        "interval": "10s",
        "timeout": "5s",
        "http": "https://node01.domain.tld:443/api/health",
      }
    ]
  }
}

Consul info for both Client and Server

Client info

agent:
	check_monitors = 0
	check_ttls = 0
	checks = 1
	services = 1
build:
	prerelease = 
	revision = 27de64da
	version = 1.10.0
consul:
	acl = disabled
	known_servers = 3
	server = false
runtime:
	arch = amd64
	cpu_count = 2
	goroutines = 52
	max_procs = 2
	os = linux
	version = go1.16.5
serf_lan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 0
	event_time = 17
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 728
	members = 14
	query_queue = 0
	query_time = 1

Server info

agent:
	check_monitors = 0
	check_ttls = 0
	checks = 0
	services = 0
build:
	prerelease = 
	revision = 10bb6cb3
	version = 1.9.4
consul:
	acl = disabled
	bootstrap = false
	known_datacenters = 1
	leader = false
	leader_addr = 10.224.32.63:8300
	server = true
raft:
	applied_index = 16375477
	commit_index = 16375477
	fsm_pending = 0
	last_contact = 60.630795ms
	last_log_index = 16375477
	last_log_term = 24
	last_snapshot_index = 16371236
	last_snapshot_term = 24
	latest_configuration = [{Suffrage:Voter ID:8d3b2664-03ac-8f4d-feae-dd009a753eb6 Address:10.224.32.63:8300} {Suffrage:Voter ID:c91d8ada-42e8-f5f5-5f24-3115992d0f44 Address:10.224.32.65:8300} {Suffrage:Voter ID:cb4ca491-1343-1d9b-854f-140cd9e15d71 Address:10.224.32.61:8300}]
	latest_configuration_index = 0
	num_peers = 2
	protocol_version = 3
	protocol_version_max = 3
	protocol_version_min = 0
	snapshot_version_max = 1
	snapshot_version_min = 0
	state = Follower
	term = 24
runtime:
	arch = amd64
	cpu_count = 2
	goroutines = 140
	max_procs = 2
	os = linux
	version = go1.15.8
serf_lan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 0
	event_time = 17
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 728
	members = 14
	query_queue = 0
	query_time = 1
serf_wan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 0
	event_time = 1
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 111
	members = 3
	query_queue = 0
	query_time = 1

Operating system and Environment details

Debian buster, x86_64

Log Fragments

Check output:
Get \"https://node01.domain.tld:443/api/health\": x509: certificate is valid for *.domain.tld, not node01.

[dnephin]

Thank you for the bug report! This should be fixed by #10490