This looks like the IP address of the machine which is doing the wget has not been added to the SAN list on the cert. It would be very helpful to get a log file from that state server so that we can see the logs pertaining to the operation of the certificate update worker. There will be output like:
State Server cerificate addresses updated to <blah>
That list of addresses should contain the IP address of machine 1 (the one that is presented as the source IP of the wget).
