At the current moment I'm reporting this to be the known "thing", we can discuss if it will be fixed somehow or not fixed at all and is it an issue or not.

For example if we have 2 shards rs0 and rs1 and later add another shard rs2 we will see errors in rs0, rs1, cfg replica set logs like:

The reason is that the certificates that we generated include only hostnames for rs0, rs1, mongos and cfg, but rs2 was added later after certificates were already created.

We use "--sslAllowInvalidCertificates" when starting mongod/mongos already because we use self signed certificates and currently I don't see issue with sharding because of the warnings above.

One thing where I can see the difference is if I try to connect directly to rs0 and rs1 with TLS it will work without "--sslAllowInvalidCertificates" or "--sslAllowInvalidHostname", but if you try to connect to rs2 you will need to add one of these two options otherwise the client connection will fail.