I have seen the Note below from https://www.elastic.co/guide/en/beats/filebeat/current/securing-communication-elasticsearch.html
For any given connection, the SSL/TLS certificates must have a subject that matches the value specified for hosts, or the SSL handshake fails. For example, if you specify hosts: ["foobar:9200"], the certificate MUST include foobar in the subject (CN=foobar) or as a subject alternative name (SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then you can associate the IP address with your hostname in /etc/hosts (on Unix) or C:\Windows\System32\drivers\etc\hosts (on Windows).
In my case I've configured the filebeat yml file with IP address and the Hostname in the CN of the Logstash server certificate is DNS resolvable to the IP in the filebeat.yml file.
Event then I see the Error "X509: cannot validate certificate for X.X.X.X because it doesn’t contain any IP SANs".
Why is the SSL handshake not doing a DNS resolution to match the CN in the certificate to IP ? Is this a bug in beat's SSL handshake ?