Fix HostCAs not being returned during bot renewal

lib/auth/auth_with_roles.go

@@ -3385,8 +3385,13 @@ func (a *ServerWithRoles) generateUserCerts(ctx context.Context, req proto.UserC
 	// If the cert is renewable, process any certificate generation counter.
 	if certReq.renewable {
 		currentIdentityGeneration := a.context.Identity.GetIdentity().Generation
-
 		if experiment.Enabled() {
+			// If we're handling a renewal for a bot, we want to return the
+			// Host CAs as well as the User CAs.
+			if certReq.botName != "" {
+				certReq.includeHostCA = true
+			}
+
 			// Update the bot instance based on this authentication. This may create
 			// a new bot instance record if the identity is missing an instance ID.
 			if err := a.authServer.updateBotInstance(

lib/auth/bot_test.go

@@ -194,6 +194,9 @@ func TestRegisterBotCertificateGenerationCheck(t *testing.T) {
 		renewedIdent, err := tlsca.FromSubject(renewedCert.Subject, renewedCert.NotAfter)
 		require.NoError(t, err)
 
+		// Validate that we receive 2 TLS CAs (Host and User)
+		require.Len(t, certs.TLSCACerts, 2)
+
 		// Cert must be renewable.
 		require.True(t, renewedIdent.Renewable)
 		require.False(t, renewedIdent.DisallowReissue)