Percona Xtrdb Cluster SSL when SSL is not configured

Hello Everyone,

Am relatively new to Percona XtrDB but have a few installations under my belt, I have run into a strange one today, I am installing a 2 node cluster, the 2nd node cannot join the cluster and is erroring with:

2022-08-25T15:00:51.393170Z 0 [ERROR] [MY-000000] [Galera] handshake with remote endpoint ssl://192.168.1.235:4567 failed: asio.ssl:67567754: 'invalid padding' ( 67567754: 'error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding')
This error is often caused by SSL issues. For more information, please see:
https://per.co.na/pxc/encrypt_cluster_traffic

Now, the fun thing that is really confusing me, is that SSL was never enabled!
On node 1 I see this in the log

2022-08-25T15:00:25.323054Z 0 [Note] [MY-000000] [Galera] GMCast version 0
2022-08-25T15:00:25.323413Z 0 [Note] [MY-000000] [Galera] (a6560e41-9e8d, 'ssl://0.0.0.0:4567') listening at ssl://0.0.0.0:4567
2022-08-25T15:00:25.323608Z 0 [Note] [MY-000000] [Galera] (a6560e41-9e8d, 'ssl://0.0.0.0:4567') multicast: , ttl: 1
2022-08-25T15:00:25.324228Z 0 [Note] [MY-000000] [Galera] EVS version 1
2022-08-25T15:00:25.324538Z 0 [Note] [MY-000000] [Galera] gcomm: bootstrapping new group 'pxc-cluster'
2022-08-25T15:00:25.324776Z 0 [Note] [MY-000000] [Galera] start_prim is enabled, turn off pc_recovery

My config files do not have SSL enabled at all for either node, has anyone seen this before, its had me scratching my head all afternoon?!

Node 1 cnf file

# Template my.cnf for PXC
# Edit to your requirements.
[client]
socket=/var/lib/mysql/mysql.sock

[mysqld]
server-id=1
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
ssl=off

# Binary log expiration period is 604800 seconds, which equals 7 days
binlog_expire_logs_seconds=604800

######## wsrep ###############
# Path to Galera library
wsrep_provider=/usr/lib64/galera4/libgalera_smm.so

# Cluster connection URL contains IPs of nodes
#If no IP is found, this implies that a new cluster needs to be created,
#in order to do that you need to bootstrap this node
wsrep_cluster_address=gcomm://192.168.1.235

# In order for Galera to work correctly binlog format should be ROW
binlog_format=ROW

# Slave thread to use
wsrep_slave_threads=8

wsrep_log_conflicts

# This changes how InnoDB autoincrement locks are managed and is a requirement for Galera
innodb_autoinc_lock_mode=2

# Node IP address
wsrep_node_address=192.168.1.235
# Cluster name
wsrep_cluster_name=pxc-cluster

#If wsrep_node_name is not specified,  then system hostname will be used
wsrep_node_name=node1

#pxc_strict_mode allowed values: DISABLED,PERMISSIVE,ENFORCING,MASTER
pxc_strict_mode=DISABLED

# SST method
#wsrep_sst_method=xtrabackup-v2
sql_mode="STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION"

Hi @mikejohnhathaway , welcome to the Percona forums! Our apologies for such a tardy reply to your question, usually we respond within hours or minutes.

PXC 8 enables encryption between nodes by default, so that is why you won’t see it in the configuration file. You can attempt to join as a proof of concept without encryption by setting pxc_encrypt_cluster_traffic=OFF on both your nodes.

Otherwise I encourage you to follow the guide above and ensure you’ve specified the SSL settings the same on both nodes, and deployed the SAME certificates to all nodes.

Please let us know how you make out. Best of luck!