Using SAN certificates with nodes_dn

Hello !

Still tinkering with searchguard. I’m trying to use SAN certificates (in PEM format, for the record) for the TLS configuration. I don’t want to use the OID method to authenticate the ES nodes, thus I’m using the “nodes_dn” method. As each of my servers have multiple hostnames, each server is given one certificate with one of the hostnames as the “Subject” and the others inside the SAN entries.

From this page: http://floragunncom.github.io/search-guard-docs/tls_troubleshooting.html
In the section “Checking the SAN hostnames and IP addresses”, it is written that I have to check for the “valid hostnames and IP addresses”. Is the presence of the server’s IP address in the SAN entries mandatory for a peer ES node to recognize the certificate as correct ?