Hey there! I am providing the following certificate to a MariaDB Community 11.4.4. It consists of 2 PEM blocks, in this order:

• Leaf certificate
• Intermediate CA certificate

The certificates have been issued by cert-manager which using the go x509 library to issue certificates.

It seems like Galera is not able to parse multiple PEM blocks, returning the following error when setting up the donor:

mariadb 2025-01-09 18:02:20 0 [Note] WSREP: Failed to establish connection: unexpected eof while reading (SSL routines)

The donor node comes up anyway and when the SST is requested by a joiner, a crash happens. (see attached logs)

Including an intermediate CA as part of the certificate is valid and accepted by MariaDB. Standalone and replication topologies work normally with MariaDB 11.4.4. I have tested previous versions (11.4.3), but they also result in SSL errors (but not parsing errors) when this certificate structure is provided. It is also a very common PKI practice nowadays, as it allows to build trust in complex scenarios where multiple intermediate CAs are involved.

I have found the following issues during my investigation, which might provide some context:

• Same issue in Percona Xtradb cluster
• Similar issue in MySQL

I have attached the logs, configuration files and the PKI material.