it's insanely easy for users to start a router that won't work by having a mismatch between the config file advertise address and the pki being presented.

it'd be great if the router when it starts could attempt to probe it's own advertised addresses and ensure the advertised address returns a certificate that will be valid.

For example, if i start a router and with a pki using "my.router.local" in the SANS but set the advertise address of any of the bindings to "this.is.invalid", the router will start and advertise "this.is.invalid". If a client connects to this router, the certificate chain won't be able to be verified and a connection won't complete