The certificate does not need to contain an IP address, you can use purely DNS - just be sure as I mentioned before that elasticsearch has been setup to communicate using DNS. Elasticsearch by default is going to check that the certificate that it is being presented (from another node) has at least one valid identity / value contained in the cert. I don't think having an incorrect IP would matter, as long as the DNS name that it tries correctly resolves to the the IP address of the connection.
Example. If I was node01.corp.local, and I was connecting to node02.corp.local - node02 should present a certificate that would have a SAN:
X509v3 Subject Alternative Name: critical
In order for node01 to connect to node02, it had to resolve an IP address. As long as the IP address matches the DNS resolution of node02.corp.local - it would allow the TLS connection (assuming it also trusted the direct certificate, or the signing authority of the certificate).
I made a blog around this that you might find helpful. https://www.elastic.co/blog/tls-elastic-stack-elasticsearch-kibana-logstash-filebeat
Also, Java by default will cache a successful dns lookup forever. If you change the IP, java will not know without a restart. You will need to modify the java security policy for an appropriate refresh rate: