Invalid SSL cert; wrong vfs mount path

Hello friends,

After mos aws-iot-setup I can contact AWS through MQTT without errors.
I’d like to avoid running the setup command after every firmware update. But manually configuring the device results with the following error:

[Oct 25 15:27:11.102] mgos_mqtt.c:439 Error: Invalid SSL cert

This is caused by a difference in vfs_common:find_mount_by_path():

[Oct 25 16:09:12.403] mgos_vfs.c:256          aws-stm32_A8D99C.crt.pem -> /aws-stm32_A8D99C.crt.pem pl 1 -> 2 0x20001a58 (refs 1)
[Oct 25 16:09:12.412] mgos_vfs.c:350          open aws-stm32_A8D99C.crt.pem 0x10000 0x1b6 => 0x20001a58 aws-stm32_A8D99C.crt.pem -2 => -2 (refs 0)
[Oct 25 16:09:12.423] mgos_mqtt.c:439         Error: Invalid SSL cert
---------------------------------------  VS
[Oct 25 16:10:26.383] mgos_vfs.c:256          aws-stm32_A8D99C.crt.pem -> /aws-stm32_A8D99C.crt.pem pl 1 -> 1 0x20000da0 (refs 1)
[Oct 25 16:10:26.394] mgos_vfs.c:350          open aws-stm32_A8D99C.crt.pem 0x10000 0x1b6 => 0x20000da0 aws-stm32_A8D99C.key.pem 0 => 256 (refs 1)

The difference is:
.crt.pem -2 => -2 (refs 0) // manual method; mounts to correct(?) file but doesn't work!
vs
.key.pem 0 => 256 (refs 1) // setup command; why mounts to .key.pem not .crt.pem, but works?!

I’ve verified that the cert and key files are identical to those after running the setup command. Same with the json/yml config for mqtt:

mos.yml:
  - ["mqtt.ssl_cert", "aws-stm32_A8D99C.crt.pem"]
  - ["mqtt.ssl_key", "aws-stm32_A8D99C.key.pem"]
❯ mos put aws-stm32_A8D99C.crt.pem
❯ mos put aws-stm32_A8D99C.key.pem
❯ mos ls
Using port /dev/ttyACM0
aws-stm32_A8D99C.crt.pem
aws-stm32_A8D99C.key.pem

What am I missing that the setup command is doing? And why is .crt.pem mounted to .key.pem - bug?

Thanks,

Gennadiy

Platform: STM32L4 discovery
mos: v2.15.0