However the mongo shell can still connect:
PyMongo fails hostname matching to such a server because the hostname, 127.0.0.1, is an IP address and therefor is only compared to iPAddress subjectAltName. As far as I can tell PyMongo (and CPython) are following the relevant RFCs with respect to IP address matching. From RFC 2818
In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.
From RFC 6125 :
188.8.131.52. Comparison of IP Addresses
When the reference identity is an IP address, the identity MUST be
converted to the "network byte order" octet string representation
[IP] [IPv6]. For IP Version 4, as specified in RFC 791, the octet
string will contain exactly four octets. For IP Version 6, as
specified in RFC 2460, the octet string will contain exactly sixteen
octets. This octet string is then compared against subjectAltName
values of type iPAddress. A match occurs if the reference identity
octet string and value octet strings are identical.
So I think the mongo shell is performing non-standard subject alt name comparisons between IP addresses and DNS subjectAltNames.