Maybe someone else can jump in as well as I haven’t seen this /exact/ issue, but it seems like a typical SSL chain validation issue.
It’s uncommon to use an IP address as a common name (CN), but it can be done. If your certificate was issued with a CN of the IP I think you should be ok.
It looks like Sensuctl isn’t trusting the certificate you have installed on your sensu-backend. I suspect this issue would go away if you add the certificate to your certificate authority (CA) bundle / trust bundle. If you self-signed you’ll add the certificate itself. If you have a private CA, you can add your CA public cert and/or any intermediate certificates to your CA bundle and this should also work.
Depending on your distro/platform, there are different ways to add a certificate to your CA bundle / trust bundle.
If that doesn’t work, then possibly there’s something slightly different with the way that Go handles certificates with a IP address in the CN instead of a fqdn. In that case you can regen your certificate with an fqdn and add in IP SANs, self-sign or private sign, then add the self-signed cert to your CA bundle (or add the private CA pubcert to your CA bundle) and that should fix it.
In our cluster we have private CA signed certs with the fqdn, and all the nodes as IP SAN entries in the cert, added the our CA pubcert to the bundle on each.
Hope that helps.