cloud-sql-go-connector icon indicating copy to clipboard operation
cloud-sql-go-connector copied to clipboard
verified publisher icon GoogleCloudPlatform

PSC connections fail with Go 1.25.2 due to trailing dot in DNS names

Open Strainy opened this issue 2 months ago • 5 comments

Bug Description

After upgrading go to 1.25.2, I've started to see database connection errors wrapping x509: SAN dNSName is malformed. I think this may be related to the following patch https://github.com/golang/go/issues/75715. PSC DNS names have a trailing dot, which seems to not be compliant.

Refer to the example code provided. You can see the issue pretty clearly:

GOTOOLCHAIN=go1.25.2 go run main.go
Cloud SQL PSC DNS name: 42cfcd3545f4.2imj07zrx20yw.us-west1.sql.goog.
Error creating cert: x509: SAN dNSName is malformed

GOTOOLCHAIN=go1.25.1 go run main.go
Cloud SQL PSC DNS name: 42cfcd3545f4.2imj07zrx20yw.us-west1.sql.goog.
Cert created successfully

Example code (or command)

# main.go

package main

import (
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/tls"
	"crypto/x509"
	"crypto/x509/pkix"
	"fmt"
	"math/big"
	"net"
	"time"
)

func main() {
	// This is the DNS name Cloud SQL API returns for PSC instances
	dnsNameWithTrailingDot := "42cfcd3545f4.2imj07zrx20yw.us-west1.sql.goog."
	fmt.Printf("Cloud SQL PSC DNS name: %s\n", dnsNameWithTrailingDot)

	// Create a self-signed certificate with trailing dot in SAN DNS name
	// This simulates what Cloud SQL's certificate has
	_, err := createCertWithDNSName(dnsNameWithTrailingDot)
	if err != nil {
		fmt.Printf("Error creating cert: %v\n", err)
		return
	}

	fmt.Println("Cert created successfully")
}

// createCertWithDNSName creates a self-signed certificate with the given DNS name in SAN
func createCertWithDNSName(dnsName string) (tls.Certificate, error) {
	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return tls.Certificate{}, err
	}

	serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
	if err != nil {
		return tls.Certificate{}, err
	}

	template := &x509.Certificate{
		SerialNumber: serialNumber,
		Subject: pkix.Name{
			CommonName: "Cloud SQL Test",
		},
		NotBefore:             time.Now(),
		NotAfter:              time.Now().Add(24 * time.Hour),
		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
		BasicConstraintsValid: true,
		DNSNames:              []string{dnsName}, // Include the trailing dot
		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
	}

	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
	if err != nil {
		return tls.Certificate{}, err
	}

	// Parse the certificate to get the *x509.Certificate for the Leaf field
	cert, err := x509.ParseCertificate(certDER)
	if err != nil {
		return tls.Certificate{}, err
	}

	return tls.Certificate{
		Certificate: [][]byte{certDER},
		PrivateKey:  priv,
		Leaf:        cert,
	}, nil
}

Stacktrace

Steps to reproduce?

Basically upgrade to go1.25.2 and attempt to connect to a cloudsql instance via PSC.

Environment

  • Go version: 1.25.2
  • cloud-sql-go-connector version: v1.18.1
  • Cloud SQL instance type: PostgreSQL with Private Service Connect (PSC)
  • Operating System: linux/amd64

Additional Details

No response

Strainy avatar Oct 08 '25 04:10 Strainy

Also an issue with go1.24.8

cpondampion avatar Oct 10 '25 13:10 cpondampion

Hi all, thank you so much for reporting this issue. We are actively looking into this issue right now. In the meantime, please do not upgrade go version to latest yet.

@cpondampion Interesting, it seems like 1.25.1 is still working, based on the recent testing with 1.25.1 we have -> https://github.com/GoogleCloudPlatform/cloud-sql-go-connector/actions/runs/18389697847/job/52396860241?pr=1026

I can double check.

panavenue avatar Oct 10 '25 16:10 panavenue

Update:

Just verified, based on the GO Release page, looks like 1.24.8 and 1.25.2 both released 3 days ago. And both of them will break the SAN verification.

We are looking into this issue, please do not update to the above two version for now.

panavenue avatar Oct 10 '25 17:10 panavenue

Thank you all for the patience!

Updates to this issue - Looks like those 2 versions released by Go team included a strict verification - which treats the trailing dot in SAN as malformed.

They have released a patch which removed that verification for now. For now, those two version of Go will not work with the connector and treated as bad version going forward. Sorry for the inconvenience.

panavenue avatar Oct 31 '25 00:10 panavenue

does it work with 1.25.3 or 1.25.4? update: seems like it was patched on 1.25.3

goenning avatar Nov 23 '25 07:11 goenning