In galerautils/src/gu_asio.cpp, function gu::ssl_prepare_context, you have the following bit of code:
param = conf::ssl_key;
param = conf::ssl_cert;
param = conf::ssl_ca;
If you note, the load_verify_file call is not actually using the ssl_ca configuration setting, instead it is using the ssl_cert configuration setting again.
This means that the only configuration that will work is one where your SSL certificate file contains the issuing CA (and any intermediate certificates due to the use of use_certificate_file instead of use_certificate_chain_file).
The most common working configuration is likely one where you have a single self-signed certificate that you copy to all of your servers, which is what the basic guides suggest, but which is... A great distance from any best practices surrounding SSL certificates.
If the use_certificate_file call could be updated to use_certificate_chain_file at the same time that would be very, very helpful.
- relates to
MDEV-24097 galera_3nodes suite tests in MTR sporadically fails: Failed to start mysqld or mysql_shutdown failed
MDEV-27181 Galera SST scripts should use ssl_capath (not ssl_ca) for CA directory