2.5.0 Upgrade Regression: principals field on certificate no longer contains DNS name

[russjones]

The following is the host certificate generated for a node running Teleport 2.4.5.

node.cert:
        Type: [email protected] host certificate
        Public key: RSA-CERT SHA256:+SiDP3sqXp/2H0We6sKuDfwfFADEfYGIY0yB2S4pwgc
        Signing CA: RSA SHA256:PBAazMe8RZVTQGgHYFzGCfJDXr+aWesfBYK/lhkO6BQ
        Key ID: ""
        Serial: 0
        Valid: forever
        Principals: 
                3660d7c9-d218-4871-beed-f4d460601528.example.com
                node.example.com
                node
        Critical Options: (none)
        Extensions: 
                x-teleport-authority UNKNOWN OPTION (len 15)
                x-teleport-role UNKNOWN OPTION (len 8)

After upgrading to 2.5.0, the host certificate changes to the following:

node.cert:
        Type: [email protected] host certificate
        Public key: RSA-CERT SHA256:zYNL54ur63z3XVdXW5XEmrd+uVmNInqXS+3dYyl9ges
        Signing CA: RSA SHA256:PBAazMe8RZVTQGgHYFzGCfJDXr+aWesfBYK/lhkO6BQ
        Key ID: ""
        Serial: 0
        Valid: forever
        Principals: 
                3660d7c9-d218-4871-beed-f4d460601528.example.com
        Critical Options: (none)
        Extensions: 
                x-teleport-authority UNKNOWN OPTION (len 15)
                x-teleport-role UNKNOWN OPTION (len 8)

Note that the Principals field no longer contains the DNS name. This causes OpenSSH clients to fail when connecting:

$ ssh -o "ProxyCommand ssh -p 3023 %[email protected] -s proxy:%h:%p" \
  node.example.com -p 3022
key_cert_check_authority: invalid certificate
Certificate invalid: name is not a listed principal
The authenticity of host '[proxy.example.com]:3023 ([127.0.0.1]:3023)' can't be established.
RSA key fingerprint is SHA256:XjEgLvfJ3yc5s8DczwGaiVgh236iUPoP0ueK5PFOJ4k.
Are you sure you want to continue connecting (yes/no)? ^C