The second node can't join cluster

When my add second node ,the error log has these error messages:

2023-03-30T09:31:18.751420Z 0 [ERROR] [MY-000000] [Galera] failed to open gcomm backend connection: 110: failed to reach primary view (pc.wait_prim_timeout): 110 (Connection timed out)
         at gcomm/src/pc.cpp:connect():161
2023-03-30T09:31:18.751433Z 0 [ERROR] [MY-000000] [Galera] gcs/src/gcs_core.cpp:gcs_core_open():219: Failed to open backend connection: -110 (Connection timed out)
2023-03-30T09:31:19.751980Z 0 [Note] [MY-000000] [Galera] gcomm: terminating thread
2023-03-30T09:31:19.752021Z 0 [Note] [MY-000000] [Galera] gcomm: joining thread
2023-03-30T09:31:19.752094Z 0 [ERROR] [MY-000000] [Galera] gcs/src/gcs.cpp:gcs_open():1811: Failed to open channel 'pxc-cluster' at 'gcomm://192.168.110.143': -110 (Connection timed out)
2023-03-30T09:31:19.752105Z 0 [ERROR] [MY-000000] [Galera] gcs connect failed: Connection timed out
2023-03-30T09:31:19.752113Z 0 [ERROR] [MY-000000] [WSREP] Provider/Node (gcomm://192.168.110.143) failed to establish connection with cluster (reason: 7)
2023-03-30T09:31:19.752127Z 0 [ERROR] [MY-010119] [Server] Aborting
2023-03-30T09:31:19.752724Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.31-23.1)  Percona XtraDB Cluster (GPL), Release rel23, Revision 536c22e, WSREP version 26.1.4.3.
2023-03-30T09:31:19.753470Z 0 [ERROR] [MY-010065] [Server] Failed to shutdown components infrastructure.

The primary node has these error messages:

2023-03-30T09:31:15.218503Z 0 [Warning] [MY-000000] [Galera] Handshake failed: tlsv1 alert decrypt error
...
2023-03-30T09:31:18.184230Z 0 [Warning] [MY-000000] [Galera] Handshake failed: tlsv1 alert decrypt error

My database’s version is “mysql Ver 8.0.31-23.1 for Linux on x86_64 (Percona XtraDB Cluster (GPL), Release rel23, Revision 536c22e, WSREP version 26.1.4.3)”.
My primary node’s my.cnf is:

[client]
socket=/var/lib/mysql/mysql.sock

[mysqld]
server-id=1
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

# Binary log expiration period is 604800 seconds, which equals 7 days
binlog_expire_logs_seconds=604800

######## wsrep ###############
# Path to Galera library
wsrep_provider=/usr/lib64/galera4/libgalera_smm.so

# Cluster connection URL contains IPs of nodes
#If no IP is found, this implies that a new cluster needs to be created,
#in order to do that you need to bootstrap this node
wsrep_cluster_address=gcomm://

# In order for Galera to work correctly binlog format should be ROW
binlog_format=ROW

# Slave thread to use
wsrep_slave_threads=8

wsrep_log_conflicts

# This changes how InnoDB autoincrement locks are managed and is a requirement for Galera
innodb_autoinc_lock_mode=2

# Node IP address
wsrep_node_address=192.168.110.143
# Cluster name
wsrep_cluster_name=pxc-cluster

#If wsrep_node_name is not specified,  then system hostname will be used
wsrep_node_name=pxc-cluster-node-1

#pxc_strict_mode allowed values: DISABLED,PERMISSIVE,ENFORCING,MASTER
pxc_strict_mode=ENFORCING

# SST method
wsrep_sst_method=xtrabackup-v2
wsrep_provider_options="socket.ssl=yes;socket.ssl_key=/etc/my.cnf.d/certificates/server-key.pem;socket.ssl_cert=/etc/my.cnf.d/certificates/server-cert.pem;socket.ssl_ca=/etc/my.cnf.d/certificates/ca.pem"

[sst]
encrypt=4
ssl-ca=/etc/my.cnf.d/certificates/ca-cert.pem
ssl-cert=/etc/my.cnf.d/certificates/server1-cert.pem
ssl-key=/etc/my.cnf.d/certificates/server1-key.pem

The second node’s my.cnf is:

[client]
socket=/var/lib/mysql/mysql.sock

[mysqld]
server-id=2
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

# Binary log expiration period is 604800 seconds, which equals 7 days
binlog_expire_logs_seconds=604800

######## wsrep ###############
# Path to Galera library
wsrep_provider=/usr/lib64/galera4/libgalera_smm.so

# Cluster connection URL contains IPs of nodes
#If no IP is found, this implies that a new cluster needs to be created,
#in order to do that you need to bootstrap this node
wsrep_cluster_address=gcomm://192.168.110.143

# In order for Galera to work correctly binlog format should be ROW
binlog_format=ROW

# Slave thread to use
wsrep_slave_threads=8

wsrep_log_conflicts

# This changes how InnoDB autoincrement locks are managed and is a requirement for Galera
innodb_autoinc_lock_mode=2

# Node IP address
wsrep_node_address=192.168.110.149
# Cluster name
wsrep_cluster_name=pxc-cluster

#If wsrep_node_name is not specified,  then system hostname will be used
wsrep_node_name=pxc-cluster-node-2

#pxc_strict_mode allowed values: DISABLED,PERMISSIVE,ENFORCING,MASTER
pxc_strict_mode=ENFORCING

# SST method
wsrep_sst_method=xtrabackup-v2
wsrep_provider_options="socket.ssl=yes;socket.ssl_key=/etc/my.cnf.d/certificates/server-key.pem;socket.ssl_cert=/etc/my.cnf.d/certificates/server-cert.pem;socket.ssl_ca=/etc/my.cnf.d/certificates/ca.pem"

[sst]
encrypt=4
ssl-ca=/etc/my.cnf.d/certificates/ca-cert.pem
ssl-cert=/etc/my.cnf.d/certificates/server1-cert.pem
ssl-key=/etc/my.cnf.d/certificates/server1-key.pem

The pem files all come from primary node.
How can I do for this error?

Make sure the certificates are TLSv1.3 and that they are readable by the mysql OS user. Use openssl to verify the certs are parseable.

I moved ssl-ca, ssl-cert and ssl-key under the [mysqld] section and it works for me

[mysqld]
server-id=1
datadir=/var/lib/mysql
socket=/var/run/mysqld/mysqld.sock
log-error=/var/log/mysql/error.log
pid-file=/var/run/mysqld/mysqld.pid
innodb_autoinc_lock_mode=2
binlog_format=ROW
binlog_expire_logs_seconds=604800

ssl-ca=/etc/mysql/certs/ca.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem

wsrep_provider=/usr/lib/galera4/libgalera_smm.so
wsrep_cluster_address=gcomm://192.168.0.50,192.168.0.51,192.168.0.52
wsrep_slave_threads=4
wsrep_log_conflicts
wsrep_node_address=192.168.0.50
wsrep_cluster_name=pxc
wsrep_node_name=pxc-node-1
pxc_strict_mode=PERMISSIVE
wsrep_sst_method=xtrabackup-v2

pxc_encrypt_cluster_traffic = ON
wsrep_provider_options="socket.ssl=yes;socket.ssl_key=/etc/mysql/certs/server-key.pem;socket.ssl_cert=/etc/mysql/certs/server-cert.pem;socket.ssl_ca=/etc/mysql/certs/ca.pem"

[sst]
encrypt=4