cloud-sql-proxy icon indicating copy to clipboard operation
cloud-sql-proxy copied to clipboard
verified publisher icon GoogleCloudPlatform

Failed to connect to Cloud SQL Instance with Google managed CAS certificate authority

Open sww314 opened this issue 8 months ago • 5 comments

Bug Description

  1. Create new Postgres Sql instance (I am using v16)
  2. Default setting is now: GOOGLE_MANAGED_CAS_CA
  3. Try to connect with cloud-sql-proxy it fails.

Example code (or command)

This fails when running CloudRun or running the cloud-sql-proxy.

./cloud-sql-proxy --address 0.0.0.0 --port 5555 huvrdata-testing:us-central1:testing-1
2025/05/05 14:32:22 Authorizing with Application Default Credentials
2025/05/05 14:32:22 [PROJECT-testing:us-central1:INSTANCE-1] Listening on [::]:5555
2025/05/05 14:32:22 The proxy has started successfully and is ready for new connections!
2025/05/06 13:57:31 [PROJECT-testing:us-central1:INSTANCE-1] accepted connection from 127.0.0.1:56966
2025/05/06 13:57:31 [PROJECT-testing:us-central1:INSTANCE-1] failed to connect to instance: Dial error: handshake failed (connection name = "PROJECT-testing:us-central1:INSTANCE-1"): Dial error: certificate had CN "", expected "PROJECT-testing:INSTANCE-1" (connection name = "PROJECT-testing:us-central1:INSTANCE-1")

This failure is caused by trying to run. psql connection.

psql --host 127.0.0.1 --port 5555 --user postgres --dbname dev --no-password --command 'SELECT COUNT(*) FROM assets_asset;'

The sql command is irrelevant.

I have two instances. The old instance works just fine. Works both with the local run and in Cloud Run.

Stacktrace

2025/05/06 13:57:31 [PROJECT-testing:us-central1:INSTANCE-1] failed to connect to instance: Dial error: handshake failed (connection name = "PROJECT-testing:us-central1:INSTANCE-1"): Dial error: certificate had CN "", expected "PROJECT-testing:INSTANCE-1" (connection name = "PROJECT-testing:us-central1:INSTANCE-1")

Steps to reproduce?

  1. Cloud Run connect to Cloud SQL
  2. Add the connection
  3. All DB connections fail to new instance

Cloud SQL instance has: GOOGLE_MANAGED_CAS_CA set.

Environment

  1. OS type and version: Locally running Mac, but CloudRun is my main concern
  2. Cloud SQL Proxy version cloud-sql-proxy version 2.0.0
  3. Proxy invocation command: ./cloud-sql-proxy --address 0.0.0.0 --port 5555 CONNECTION

Additional Details

Related to: #2425 (similar errors)

sww314 avatar May 06 '25 19:05 sww314

Hi, @sww314,

The Cloud SQL Proxy started supporting instances configured with GOOGLE_MANAGED_CAS_CA starting with proxy version 2.14.0. You should be able to fix this quickly by upgrading your proxy version to the latest.

Let us know if that worked.

hessjcg avatar May 06 '25 22:05 hessjcg

@hessjcg Thanks for the quick reply.

Do you know how CloudRun works? That is really what I was trying to fix. There I do not have control over the version. Since I got the same error - I suspected that CloudRun uses CloudSQLproxy as sidecar or something.

sww314 avatar May 07 '25 02:05 sww314

Upgrading to the latest (2.15.2) does fix the error with cloud-sql-proxy when running locally.

sww314 avatar May 07 '25 02:05 sww314

Do you know how CloudRun works? That is really what I was trying to fix. There I do not have control over the version. Since I got the same error - I suspected that CloudRun uses CloudSQLproxy as sidecar or something.

Facing the same issue since this morning in "Cloud Run". ChatGPT says it's not possible to choose sql proxy version in cloud run but it's possible to start your own version of sql proxy manually:

No, you cannot manually update the Cloud SQL Auth Proxy used internally by Google Cloud Run when you connect to a Cloud SQL instance via the built-in Cloud SQL connection feature (i.e., when you specify the instance connection name in the Cloud Run settings). Google manages that proxy version for you.

✅ However, you can use a custom version by doing this instead:

Option: Use the Cloud SQL Auth Proxy Manually Inside Your Container

If you want to control the version of the Cloud SQL Auth Proxy:

  1. Download or install the latest Cloud SQL Auth Proxy in your Dockerfile:

    ADD https://dl.google.com/cloudsql/cloud_sql_proxy.linux.amd64 /cloud_sql_proxy
RUN chmod +x /cloud_sql_proxy

  2. Run the proxy manually in your container (e.g., via an entrypoint script):

    ./cloud_sql_proxy -dir=/cloudsql -instances=PROJECT:REGION:INSTANCE=tcp:5432

  3. Connect your app to localhost:5432 or the Unix socket, depending on your proxy mode.

  4. Ensure required IAM permissions and service account settings are in place.

  5. Avoid using the built-in Cloud SQL connection feature in Cloud Run (i.e., leave the instance connection name blank in the UI).

hakimio avatar May 07 '25 09:05 hakimio

Drive by comment:

ChatGPT is giving bad advice. Instead of baking the proxy into your container, use Cloud Run's multi-container support to run the Cloud SQL Proxy as a proper sidecar.

See https://cloud.google.com/run/docs/deploying#sidecars for details.

enocom avatar May 07 '25 15:05 enocom

me too

2025/06/23 09:27:39 [project:region:instance] failed to connect to instance: dial error: handshake failed (connection name = "project:region:instance"): dial error: failed to verify certificate (connection name = "project:region:instance"): tls: failed to verify certificate: x509: certificate signed by unknown authority

yamauchi5748 avatar Jun 23 '25 02:06 yamauchi5748

The latest versions of the proxy, including the built-in Cloud Run proxy support customer_managed_cas, which means this should be fixed. Feel free to reopen if you have further issues.

hessjcg avatar Oct 28 '25 16:10 hessjcg