Thank you all for steering me in the right direction. I didn’t know that restic uses the installed SSH binary. My keys either may not have been previously password protected like I thought and when I regenerated my key, I switched to the SSH certificate method. It seems that both the Hostname change and certificate change were red herrings, and the real culprit was that cron didn’t have access to my ssh agent. The output of ssh -vv helped
subprocess ssh: debug1: read_passphrase: can't open /dev/tty: Device not configured
subprocess ssh: debug2: no passphrase given, try next key
I set my ssh-agent to bind to a custom path that won’t change, then in my script that runs restic I added
SSH_AUTH_SOCK=/home/stratacast/.ssh/myagent
export SSH_AUTH_SOCK
Now I can ssh with the FQDN, and I confirmed it doesn’t translate to the IP since it shows up as the FQDN in my control master path.