There are no non-root available puppet CA signed client certs available on these hosts for use from MediaWiki or the mysql client. These will be needed for the ssl_set() call in DatabaseMysqli.php.
EDIT: Actually CA-only (by directory or CA file) is supported by mysqli, though not really documented (there's a bug somewhere about that), so this should work without client certs/keys.