Percona Xtrdb Cluster SSL when SSL is not configured

Hello Everyone,

Am relatively new to Percona XtrDB but have a few installations under my belt, I have run into a strange one today, I am installing a 2 node cluster, the 2nd node cannot join the cluster and is erroring with:

2022-08-25T15:00:51.393170Z 0 [ERROR] [MY-000000] [Galera] handshake with remote endpoint ssl:// failed: asio.ssl:67567754: 'invalid padding' ( 67567754: 'error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding')
This error is often caused by SSL issues. For more information, please see:

Now, the fun thing that is really confusing me, is that SSL was never enabled!
On node 1 I see this in the log

2022-08-25T15:00:25.323054Z 0 [Note] [MY-000000] [Galera] GMCast version 0
2022-08-25T15:00:25.323413Z 0 [Note] [MY-000000] [Galera] (a6560e41-9e8d, 'ssl://') listening at ssl://
2022-08-25T15:00:25.323608Z 0 [Note] [MY-000000] [Galera] (a6560e41-9e8d, 'ssl://') multicast: , ttl: 1
2022-08-25T15:00:25.324228Z 0 [Note] [MY-000000] [Galera] EVS version 1
2022-08-25T15:00:25.324538Z 0 [Note] [MY-000000] [Galera] gcomm: bootstrapping new group 'pxc-cluster'
2022-08-25T15:00:25.324776Z 0 [Note] [MY-000000] [Galera] start_prim is enabled, turn off pc_recovery

My config files do not have SSL enabled at all for either node, has anyone seen this before, its had me scratching my head all afternoon?!

Node 1 cnf file

# Template my.cnf for PXC
# Edit to your requirements.


# Binary log expiration period is 604800 seconds, which equals 7 days

######## wsrep ###############
# Path to Galera library

# Cluster connection URL contains IPs of nodes
#If no IP is found, this implies that a new cluster needs to be created,
#in order to do that you need to bootstrap this node

# In order for Galera to work correctly binlog format should be ROW

# Slave thread to use


# This changes how InnoDB autoincrement locks are managed and is a requirement for Galera

# Node IP address
# Cluster name

#If wsrep_node_name is not specified,  then system hostname will be used

#pxc_strict_mode allowed values: DISABLED,PERMISSIVE,ENFORCING,MASTER

# SST method
1 Like

Hi @mikejohnhathaway , welcome to the Percona forums! Our apologies for such a tardy reply to your question, usually we respond within hours or minutes. :face_with_open_eyes_and_hand_over_mouth:

PXC 8 enables encryption between nodes by default, so that is why you won’t see it in the configuration file. You can attempt to join as a proof of concept without encryption by setting pxc_encrypt_cluster_traffic=OFF on both your nodes.

Otherwise I encourage you to follow the guide above and ensure you’ve specified the SSL settings the same on both nodes, and deployed the SAME certificates to all nodes.

Please let us know how you make out. Best of luck!

1 Like