Issue joining bootstrapped cluster

stsirag · November 20, 2025, 9:19pm

I’m following the docs Configure-nodes and Add-nodes to configure Percona 8.4 Mysql cluster

I’ve bootstrapped the first node and started mysql on the 2nd node after generating and copying the cert, and configuring the mysqld.cnf file as described (Ubuntu 24.04).

Slight modification: I’ve mounted a 2nd drive for the mysql data, and it’s in /mnt/data rather than the normal mysql directory.

Mysql fails to start on 2nd node.

In the /var/log/mysql/error.log, I get a bunch of this:

2025-11-18T22:24:03.119873Z 0 [Note] [MY-000000] [Galera] Failed to establish connection: invalid padding: certificate signature failure
2025-11-18T22:24:03.617122Z 0 [Note] [MY-000000] [Galera] Failed to establish connection: Connection refused

I’ve tested with and without the firewalls, I’ve double/triple checked that the certs are the same in /etc/ on all 3 nodes, with mysql:mysql ownership and permissions as advised.

Certs inside the /mnt/data directory are NOT the same, but the instructions don’t say anything about that.

przemek · November 20, 2025, 10:28pm

By default, the server is looking for SSL certificates and keys first in the datadir:

You need to make sure the relevant ssl-key, ssl-cert, ssl-ca, etc variables are pointing to the correct directory.

The PXC documentation explicitly states that the same certs should be on all cluster members:

Moreover, as custom directories are used, check the AppArmor configuration to see if they are allowed for the mysql user in Ubuntu.

stsirag · November 20, 2025, 10:46pm

I did try putting the cluster certs in a specific dir (/etc/mysql/clustercerts), and specified the full paths in both the wsrep_provider_options statement and [sst] section, but from the “passing config” line in the error log, it appears that the full path was not provided to Galera. (see highlighted in screenshot). Does that mean it’s still looking in the data directory?

And if so, should I replace the same files in the data directory? I was cautious to do so as there are other certs in there as well I didn’t want to screw up.

matthewb · November 21, 2025, 3:46pm

This is the configuration you need, it is the same configuration we use in our XtraDB Cluster training classes.

[mysqld]
pxc_encrypt_cluster_traffic=ON
ssl-ca=/etc/ssl/mysql/ca.pem
ssl-cert=/etc/ssl/mysql/server-cert.pem
ssl-key=/etc/ssl/mysql/server-key.pem

Topic		Replies	Views
Percona Mysql Xtra DB Cluster 8.4.5 Percona News percona , new-release	2	126	August 6, 2025
Cluster Unable to configure SSL Percona XtraDB Cluster 8.x	5	1587	February 14, 2023
SSL question in Cluster configuration Percona XtraDB Cluster 8.x	29	2872	August 4, 2021
SSL connection error : certificate verify failed, [Galera] Handshake failed Percona XtraDB Cluster 8.x	6	2096	August 12, 2022
Percona XtraDB 8.0.30-22 - Nodes 2 and 3 refuse to connect Percona XtraDB Cluster 8.x	17	1514	January 25, 2023

Issue joining bootstrapped cluster

Related topics