bug(bootstrap/cli): remote gateway_endpoint may resolve to endpoint serving wrong certificate

[pimlock]

Sandbox operations failed with invalid peer certificate: UnknownIssuer.

Stored metadata endpoint was https://192.168.193.179, but that endpoint presented TRAEFIK DEFAULT CERT (not Navigator CA chain).
Navigator API was healthy on http://192.168.193.179:8080 and worked with --allow-insecure-access.

Expected: Bootstrap should persist a validated reachable endpoint for Navigator gateway, or CLI should detect mismatch and provide clear fallback guidance.

I had k3s already so this would not happen on a blank slate perhaps?

---

Originally by @vvagias on 2026-02-14T07:08:01.155-08:00

[pimlock]

Navigator is not (atleast currently) intended to work on an existing k3s cluster. k3s is really just an internal implementation detail. We hopefully don't need to expose any kube operations to the customer.

Can you provide steps to reproduce the error?

---

Originally by @drew on 2026-02-16T11:08:17.328-08:00

[drew]

This should be resolved.