cloud-sql-proxy icon indicating copy to clipboard operation
cloud-sql-proxy copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

Failed to connect to Cloud SQL Instance with Google managed CAS certificate authority

Open sww314 opened this issue 5 months ago • 5 comments

Bug Description

  1. Create new Postgres Sql instance (I am using v16)
  2. Default setting is now: GOOGLE_MANAGED_CAS_CA
  3. Try to connect with cloud-sql-proxy it fails.

Example code (or command)

This fails when running CloudRun or running the cloud-sql-proxy.

./cloud-sql-proxy --address 0.0.0.0 --port 5555 huvrdata-testing:us-central1:testing-1
2025/05/05 14:32:22 Authorizing with Application Default Credentials
2025/05/05 14:32:22 [PROJECT-testing:us-central1:INSTANCE-1] Listening on [::]:5555
2025/05/05 14:32:22 The proxy has started successfully and is ready for new connections!
2025/05/06 13:57:31 [PROJECT-testing:us-central1:INSTANCE-1] accepted connection from 127.0.0.1:56966
2025/05/06 13:57:31 [PROJECT-testing:us-central1:INSTANCE-1] failed to connect to instance: Dial error: handshake failed (connection name = "PROJECT-testing:us-central1:INSTANCE-1"): Dial error: certificate had CN "", expected "PROJECT-testing:INSTANCE-1" (connection name = "PROJECT-testing:us-central1:INSTANCE-1")

This failure is caused by trying to run. psql connection.

psql --host 127.0.0.1 --port 5555 --user postgres --dbname dev --no-password --command 'SELECT COUNT(*) FROM assets_asset;'

The sql command is irrelevant.

I have two instances. The old instance works just fine. Works both with the local run and in Cloud Run.

Stacktrace

2025/05/06 13:57:31 [PROJECT-testing:us-central1:INSTANCE-1] failed to connect to instance: Dial error: handshake failed (connection name = "PROJECT-testing:us-central1:INSTANCE-1"): Dial error: certificate had CN "", expected "PROJECT-testing:INSTANCE-1" (connection name = "PROJECT-testing:us-central1:INSTANCE-1")

Steps to reproduce?

  1. Cloud Run connect to Cloud SQL
  2. Add the connection
  3. All DB connections fail to new instance

Cloud SQL instance has: GOOGLE_MANAGED_CAS_CA set.

Environment

  1. OS type and version: Locally running Mac, but CloudRun is my main concern
  2. Cloud SQL Proxy version cloud-sql-proxy version 2.0.0
  3. Proxy invocation command: ./cloud-sql-proxy --address 0.0.0.0 --port 5555 CONNECTION

Additional Details

Related to: #2425 (similar errors)

sww314 avatar May 06 '25 19:05 sww314