It’s okay, I found the error. It was mentioned in the docs but it was all cluttered within sentences so I overlooked.
The Organization attributes (
O’s), the Organizational Unit attributes (OU’s), and the Domain Components (DC’s) must match those from both thenet.tls.clusterFileandnet.tls.certificateKeyFilecertificates for the other cluster members (or thetlsX509ClusterAuthDNOverridevalue, if set).
I had a different certificateKeyFile generated by letsencrypt when I only enabled TLS for client to server communication.