No, you didn't misunderstand the configuration guide. We optimized the certs to work for the case of a real load balancer externally. We completely understand that you may just make the gateway-va the fqdn first and then move it to a load balancer later.
We are trying to make the certs work in that case, in a near future release. Till then, we have to use this workaround.