> have the same cert on all nodes is how it has been designed and how upstream too has it.

Fair enough. But it remains counter-intuitive, particularly with the fact MySQL servers (not Galera) are expected to use their own certificates. Plus, this standard error message (
'error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01'
) doesn't point to the actual problem; I guess that's what led to open this bug as well. Can we do something to improve on this, maybe a suggestive warning in the log that says "Hey, this may be due using different certificates/key in each node" or something in these lines?

Yes, it is working as expected. 

with new updated understanding can you retry the test-case and check it is working as expected.

have the same cert on all nodes is how it has been designed and how upstream too has it.

pxc-encrypt-cluster-traffic doesn't relaxes this condition. pxc-encrypt-cluster-traffic was introduced only to simplify configuration. I can achieve same affect of pxc-encrypt-cluster-traffic by specifying 5 variables (vs pxc-encrypt-cluster-traffic single variable). This is the only aim of pxc-encrypt-cluster-traffic and nothing more that that should be associated with its introduction.

I run into exactly the same problem:

What ended up being is that I had the certificates being created automatically by MySQL with pxc-encrypt-cluster-traffic=ON on the joiner node, whereas the manual states:

These auto-generated files are suitable for automatic SSL configuration, but you should use the same key and certificate files on all nodes.

Copying over all *.pem files from the donor to the datadir did the trick. But then, the usefulness of pxc-encrypt-cluster-traffic (and having certificates and keys living on the datadir) is questionable; I'm certain the actual solution is a different one.