Hi guys. I'm trying to add encryption to my already working galera cluster and I've look at number of tutorials, official ones included. I've added these to configs: [mariadb] ssl_cert = /etc/my.cnf.d/certs/c8kubernode2.private.pawel.crt ssl_key = /etc/my.cnf.d/certs/c8kubernode2.private.pawel.key ssl_ca = /etc/my.cnf.d/certs/ca.crt [mysqld] wsrep_provider_options="socket.ssl=yes;socket.ssl_cert=/etc/my.cnf.d/certs/c8kubernode2.private.pawel.crt;socket.ssl_key=/etc/my.cnf.d/certs/c8kubernode2.private.pawel.key;socket.ssl_ca=/etc/my.cnf.d/certs/ca.crt" First server, above configs, starts okey with 'galera_new_cluster' but the second, I'm on Centos 8, when started as normal with systemd shows: ... 2021-03-29 17:33:34 0 [ERROR] WSREP: gcomm/src/asio_tcp.cpp:handshake_handler():128: handshake with remote endpoint ssl://10.1.1.223:4567 failed: asio.ssl:337047686: 'certificate verify failed' ( 337047686: 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed') 2021-03-29 17:33:36 0 [ERROR] WSREP: gcomm/src/asio_tcp.cpp:handshake_handler():128: handshake with remote endpoint ssl://10.1.1.223:4567 failed: asio.ssl:337047686: 'certificate verify failed' ( 337047686: 'error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed') ... and eventually after a moment fails. The second server has the same bits in configs only, naturally, files names are different respectively. I also see this, in case might tell more or be relevant, this is on 'galera_new_cluster' up & running: -> $ mysql --ssl -h c8kubernode2.private.pawel -u wordpress -p --ssl-verify-server-cert=true Enter password: ERROR 2026 (HY000): SSL connection error: self signed certificate in certificate chain -> $ mysql --ssl -h c8kubernode2.private.pawel -u wordpress -p --ssl-verify-server-cert=false Enter password: Welcome to the MariaDB monitor.  Commands end with ; or \g. But if this is 'CN' problem then looking at the mysql server cert: -> $ _my._sslPrintCert.sh c8kubernode2.private.pawel.crt issuer=CN = "nodemaster.private.pawel," # <= here, it matches server's hostname as expected. subject=CN = c8kubernode2.private.pawel notAfter=Jul  2 20:50:57 2023 GMT Certificate: ... Also, in case it might matter, I do not have as you can see [sst] bits done yet. Any ideas someone cares to share I'll appreciate. many thanks, L.