Handshake failed: certificate verify failed: unsuitable certificate purpose

Hey everyone,

we got the xtradb cluster now running for a few weeks but we wanted to renew the whole ca/certs (all server and client certs) cause we will use the CA of our OPNsense in the future.

So i created a new CA which i deployed to every server and client and created a server certificate/key for every server and a client certificate/key for every client.

I’ve shut down everything (its a testlab, thats why so hard), replaced the server and client certs and tried to bootstrap the cluster again.

So i started mysql@bootstrap on node 1 and tried to start mysql.service on node 2, but the logs of node 1 showing:

Handshake failed: certificate verify failed: unsuitable certificate purpose

So i checked the CA, Server cert and client cert and everything seems fine. They do not differ (technically) from the ones i used before which creation is described here:

Does someone knows what the message means or how i can dig deeper to the root cause?

Best regards

Hey @Zody,
Here’s the documentation for generating SSL certs that we use in our PXC training class. I’m 100% positive they work.

The most non-obvious thing is this: NOTE: The CommonName (CN) for each certificate must be different from all others.

You can use the same server cert (with same CN) on all 3 nodes, but the CN part of the subject must be different between the CA, server certs, and client certs.