While DWSing SERVER-37296, the external user discovered the error was in his configuration, but that our documentation was kinda buried in a seemingly unrelated section, and our error message wasn't descriptive enough to explain what was going on.

Specifically, he was using a cert with a correctly matching commonName, but with additional subjectAlternateName entries which did not match the target host.

The error message helpfully says that it attempted to match against the SANs, but doesn't mention that the CN was/wasn't tried, or if it would have matched had it been tried.

2018-09-17T17:36:50.040+0800 E STORAGE [initandlisten] Unable to retrieve key .system, error: socket exception [CONNECT_ERROR] for The server certificate does not match the host name. Hostname: [example.com] does not match SAN(s): example.net, example.org

I'd suggest that, if this error message is being output, we also do a test on commonName, and if it would have matched, we include a comment to the effect of: "CN would have matched, however it has been overridden by the SAN field". If the CN doesn't match either, then we (possibly) append it to the error message just to help end-users identify the certificate being used.