Grafana cannot validate certificate for *.*.*.* because it doesn't contain any IP SANs"

Hi,
I am testing Grafana v6.2.2, want to accecss GUI using keycloak SSO, not username/password.
I created a kubectl secret including a certificate, and on Grafana values.yaml to use this secret.

After Grafana deployed, on Grafana GUI, there is button to access with keycloak realm, but can’t access success.
In Grafana container cpro-grafana logs, there are Error, "2019-08-21T07:54:33+0000 lvl=eror msg=login.OAuthLogin(NewTransportWithCode) logger=context userId=0 orgId=0 uname= error=“Post https://10.75.163.23/auth/realms/Kunlun/protocol/openid-connect/token: x509: cannot validate certificate for 10.75.163.23 because it doesn’t contain any IP SANs”

But in fact, there is IP SANS “value is 10.75.163.23” in this certificate.

My questions:
(1) For certificate, SANs is not required field, it is extention field. That means SANs is not included in some certificate. Why SANs is required when Grafana validate certificate?
(2) Because IP SANS "value is 10.75.163.23"is in the certificate, log “cannot validate certificate for 10.75.163.23 because it doesn’t contain any IP SANs” means this IP address is not valid?

Thank you for your reply!