Here is how I fixed my issue:
sctool cluster update --cluster REDACTED --force-non-ssl-session-port
The SSL configuration in /etc/scylla-manager/scylla-manager.yaml
ssl:
# CA certificate used to validate server cert. If not set will use he host's root CA set.
cert_file: /etc/scylla-manager/ssl/certs/client_cadb.pem
#
# Verify the hostname and server cert.
validate: false
# Client certificate and key in PEM format. It has to be provided when
# client_encryption_options.require_client_auth=true is set on server.
user_cert_file: /etc/scylla-manager/ssl/certs/client.crt
user_key_file: /etc/scylla-manager/ssl/certs/client.key
The reason I have to do this is that the cluster uses the port 9042 for SSL/TLS
References in scylladb documentation (I cannot post links…):
- ctool/cluster.html#id15 (the sctool options)
- configuration-parameters.html#confval-native_transport_port_ssl (description of why it uses 9042 instead of 9142)