Hm, it might be that it isn't paying attention to the "alternative name", or maybe it's just unwilling to accept numeric IP addresses at all (or maybe just 127.0.0.1 .. no CA would issue one like that, so maybe the libraries don't ever expect one like that). You might try setting the alt-name to "localhost", and see if that affects anything.
To be honest I haven't paid close attention to what our CLI tools do with TLS, because I always run them against 127.0.0.1, which doesn't need transport-level security. (if you were running the client/gateway on a remote system, TLS would be critical, of course).
We might want to consider rewriting out CLI tools in terms of the requests library, which is generally considered to be the modern way to do HTTP. I don't know how requests does TLS verification, but I'd want to do whatever they do.
But yes, I suspect that setting your node.url to something which the TLS client is willing to verify is the easiest fix, if setting alt-name to "localhost" doesn't work.
