From acme.sh, you’ll get :
FreeBSD layout – copy these to /etc/ssl (well, where you want).
concatenate the ca.cer with symlink of cert.pem from the package “security/ca_root_nss”.
sudo sh -c 'cat ca.cer cert.pem > cert2.pem'
Galera Cluster doesn’t like chained certificates, and does both a client and server Certificate verification – so wsrep_provider_options look like this :
Now, because you have to restart the whole cluster … Let’s Encrypt’s certificates every 60-90 days … may not be optimal. And I’m unclear what the impact is for doing “–wsrep-new-cluster” all the time … because once you change the certificates, you apparently can’t re-join the same cluster.
HOWEVER – the self-signed certificates, as directed here : http://galeracluster.com/documentation-webpages/sslcert.html#generating-certificates – didn’t work out of the box. For whatever reason, the server cert needs to be the full chain. To create that … one more step:
sudo sh -c 'cat server-cert.pem ca-cert.pem > serverchain.pem '
And use socket.ssl_cert=serverchain.pem
Oh yeah … you need different self signed certs on each Galera node. The same server cert doesn’t work for all nodes.
Well, that is only partly true …and only worked for 1/2 the connection … openssl s_client worked, but mysql/Galera would not validate the cert. In fact, you can have the same cert on everything – if you DON’T set the ssl_ca. Yeah, really. Seemly, you don’t even need to sign it … just create the certificate/key pair for the CA, and use those as key/cert, and don’t set the CA.