Expected behavior of "Temporarily extend key"

Hi, I let the key expire on two machines today so I could test out the renewal process, and it’s not quite what I expected.

We access our machines over tailscale by SSHing to hostnames via magic DNS. My hope was that pressing “Temporarily extend key” would allow the machine to reconnect to tailscale and I could then log in over SSH and do whatever was needed to create a new key.

Instead, after clicking “Temporarily extend key”, I cannot connect over SSH. The “Last seen” section of Machine Details is the current time, but SSH via tailscale times out.

For this machine, I have an alternate way of getting in, so I logged in and ran “tailscale status”.

$ tailscale status
unexpected state: Starting

$ tailscale version
tailscale commit: 766ae6c10fd93a8d4f41f18a9e63d36992dfb54c
other commit: 3e68227723fd503a0ca673655d015ccf45f9efaa
go version: go1.16.4-tsa2a536c

$ sudo systemctl restart tailscaled
$ tailscale status
<now it’s working again>

A similar thing happened on the other machine, although by the time I systemctl restarted tailscaled the temporary cert had expired again, so tailscale status printed a re-auth URL instead.

So my question is, should I expect “Temporarily extend key” to result in a fully working tailscale connection, and is the fact that I have to log in (via non-tailscale means) and restart tailscaled a bug? Or do I always need to preserve a secondary method of login for if keys expire?

I know 1.10.0 isn’t the very latest version, but I didn’t spot anything relevant in release notes.