Comment 4 for bug 1472014

So that's the problem - only address 10.0.6.1 is added to the certificate SAN list, where as the state server (machine 0) also uses address 10.0..3.105 - this address is not being picked up as belonging to the machine.

As is seen in the machine logs:

certupdater.go:79 new machine addresses: [public:localhost local-cloud:10.0.6.1]

the certificate updater is only ever informed about 10.0.6.1.

Yet the machine is known to have additional addresses:

machine-0: 2015-07-06 20:48:58 DEBUG juju.network network.go:259 addresses after filtering: [local-machine:127.0.0.1 local-cloud:192.168.122.1 local-cloud:10.0.3.105 local-machine:::1]
machine-0: 2015-07-06 20:48:58 INFO juju.worker.machiner machiner.go:94 setting addresses for machine-0 to ["local-machine:127.0.0.1" "local-cloud:192.168.122.1" "local-cloud:10.0.3.105" "local-machine:::1"]

So there's a problem with the machine AddressWatcher code which reports on a machine's addresses.