From c0e948f91cb26ebcc867cc58692b10ae35de7488 Mon Sep 17 00:00:00 2001
From: Forrest <30576607+fspmarshall@users.noreply.github.com>
Date: Tue, 3 Sep 2024 14:39:12 -0700
Subject: [PATCH] fix local re-register (#46182)

---
 lib/auth/register.go   | 4 +++-
 lib/service/connect.go | 7 ++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/auth/register.go b/lib/auth/register.go
index ef7ececcc2fc..810607d59487 100644
--- a/lib/auth/register.go
+++ b/lib/auth/register.go
@@ -43,7 +43,9 @@ func LocalRegister(id state.IdentityID, authServer *Server, additionalPrincipals
 	}
 
 	// If local registration is happening and no remote address was passed in
-	// (which means no advertise IP was set), use localhost.
+	// (which means no advertise IP was set), use localhost. This behavior must
+	// be kept consistent with the equivalen behavior in cert rotation/re-register
+	// logic in lib/service.
 	if remoteAddr == "" {
 		remoteAddr = defaults.Localhost
 	}
diff --git a/lib/service/connect.go b/lib/service/connect.go
index 136c2aada868..a4e8622109bb 100644
--- a/lib/service/connect.go
+++ b/lib/service/connect.go
@@ -17,6 +17,7 @@ limitations under the License.
 package service
 
 import (
+	"cmp"
 	"context"
 	"crypto/tls"
 	"errors"
@@ -404,7 +405,11 @@ func (process *TeleportProcess) reRegister(conn *Connector, additionalPrincipals
 
 	if srv := process.getLocalAuth(); srv != nil {
 		clt = srv
-		remoteAddr = process.Config.AdvertiseIP
+		// auth server typically extracts remote addr from conn. since we're using the local auth
+		// directly we must supply a reasonable remote addr value. preferably the advertise IP, but
+		// otherwise localhost. this behavior must be kept consistent with the equivalent behavior
+		// in LocalRegister.
+		remoteAddr = cmp.Or(process.Config.AdvertiseIP, defaults.Localhost)
 	}
 
 	identity, err := auth.ReRegister(ctx, auth.ReRegisterParams{