How to get metric-server work without setting --kubelet-insecure-tls=true

I have a k8s 1.24 cluster built the hard way. Here is my setup
PKI Infra:
All certs locally signed by Kube-CA including the Kubelet.

Created front-proxy-ca
Created certs as mentioned in kubernetes-the-hardway-virtualbox/ at master · ansilh/kubernetes-the-hardway-virtualbox · GitHub

Added to api-server and everything works as expected. Installed metrics-server using kubectl apply -f

It starts complaining about Certificate error:

E0403 01:39:41.376984       1 scraper.go:140] "Failed to scrape node" err="Get \"\": x509: cannot validate certificate for because it doesn't contain any IP SANs" node="worker003"

Had to disable cert checks with --kubelet-insecure-tls=true

Tried adding --kubelet-certificate-authority=/certs/ca.crt and later --requestheader-client-ca-file=/certs/front-proxy-ca.pem nothing looks to be working.

Wondering how hosted service providers can get everything going just with latest metric-server yaml applied without any changes to it? What am I missing?

Hi, did you solve it?

Not yet. Still waiting for a solution

I think you need to start the kubelet with --client-ca flag. Look here Kubelet authentication/authorization