diff --git a/lib/auth/auth.go b/lib/auth/auth.go
index 4bdb468b70679..c792c5f4e7ff5 100644
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@@ -865,10 +865,16 @@ func (s *AuthServer) GenerateServerKeys(req GenerateServerKeysRequest) (*PackedK
 	// If the request contains 0.0.0.0, this implies an advertise IP was not
 	// specified on the node. Try and guess what the address by replacing 0.0.0.0
 	// with the RemoteAddr as known to the Auth Server.
-	req.AdditionalPrincipals = utils.ReplaceInSlice(
-		req.AdditionalPrincipals,
-		defaults.AnyAddress,
-		req.RemoteAddr)
+	if utils.SliceContainsStr(req.AdditionalPrincipals, defaults.AnyAddress) {
+		remoteHost, err := utils.Host(req.RemoteAddr)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		req.AdditionalPrincipals = utils.ReplaceInSlice(
+			req.AdditionalPrincipals,
+			defaults.AnyAddress,
+			remoteHost)
+	}
 
 	var cryptoPubKey crypto.PublicKey
 	var privateKeyPEM, pubSSHKey []byte
diff --git a/lib/service/connect.go b/lib/service/connect.go
index 203149f3fc23a..a738b94fc46e9 100644
--- a/lib/service/connect.go
+++ b/lib/service/connect.go
@@ -616,11 +616,25 @@ func (process *TeleportProcess) rotate(conn *Connector, localState auth.StateV2,
 		defaults.Localhost,
 	)
 
-	principalsOrDNSNamesChanged := (len(additionalPrincipals) != 0 && !conn.ServerIdentity.HasPrincipals(additionalPrincipals)) ||
-		(len(dnsNames) != 0 && !conn.ServerIdentity.HasDNSNames(dnsNames))
-
-	if local.Matches(remote) && !principalsOrDNSNamesChanged {
-		// nothing to do, local state and rotation state are in sync
+	// If advertise_ip, public_addr, or listen_addr in file configuration were
+	// updated, the list of principals (SSH) and DNS names (TLS) on the
+	// certificate need to be updated.
+	var principalsChanged bool
+	if len(additionalPrincipals) != 0 && !conn.ServerIdentity.HasPrincipals(additionalPrincipals) {
+		principalsChanged = true
+		log.Debugf("Rotation in progress, updating SSH principals from %v to %v.",
+			conn.ServerIdentity.Cert.ValidPrincipals, additionalPrincipals)
+	}
+	var dnsNamesChanged bool
+	if len(dnsNames) != 0 && !conn.ServerIdentity.HasDNSNames(dnsNames) {
+		log.Debugf("Rotation in progress, updating x590 DNS names in SAN from %v to %v.",
+			conn.ServerIdentity.XCert.DNSNames, dnsNames)
+		dnsNamesChanged = true
+	}
+
+	// If the local state matches remote state and neither principals or DNS
+	// names changed, nothing to do. CA is in sync.
+	if local.Matches(remote) && !(principalsChanged || dnsNamesChanged) {
 		return &rotationStatus{}, nil
 	}
 
@@ -648,7 +662,7 @@ func (process *TeleportProcess) rotate(conn *Connector, localState auth.StateV2,
 		// that the old node came up and missed the whole rotation
 		// rollback cycle.
 		case "", services.RotationStateStandby:
-			if principalsOrDNSNamesChanged {
+			if principalsChanged || dnsNamesChanged {
 				process.Infof("Service %v has updated principals to %q, DNS Names to %q, going to request new principals and update.", id.Role, additionalPrincipals, dnsNames)
 				identity, err := process.reRegister(conn, additionalPrincipals, dnsNames, remote)
 				if err != nil {