So what ended up being the issue for me was that the certificate subject names for the TLS transport on each node was not matching the plugins.nodes_dn information I had. Fixing that solved the issue - though it would’ve been useful if the error were to say that that was the issue.