You are running into this issue from the Setting up SSL/TLS documentation:
If you choose not to use the certgen, the certificates that you obtain must allow for both clientAuth and serverAuth if the extended key usage extension is present.
SSL certificates can be marked (but don't have to be) as allowing either "client authentication" or "server authentication" or both. Because there is no strict notion of "client" or "server" in a cluster (all nodes act as both a client and a server) your certificate must either be marked as having both clientAuth and serverAuth extended key usage, or not have that extension included at all.
You'll need to generate new certificates.