1

I'm trying to use GCP's cloud_proxy_sql via one of our proxy server with custom CA signed certificates. I tried setting the cert using the config custom_ca_certs_file of gcloud config. Also double checked if the ca cert is set, using the command gcloud config list.

In spite of that, getting the below error in cloud_proxy_sql when trying to connect my SQL client via cloud_proxy_sql.

2020/08/19 11:37:36 Listening on 0.0.0.0:<My local port> for <Instance_connnection_name>

2020/08/19 11:37:36 Ready for new connections 2020/08/19 11:39:11 New connection for "<Instance_connnection_name>"

2020/08/19 11:39:12 couldn't connect to "<Instance_connnection_name>": x509: certificate signed by unknown authority

2020/08/19 11:40:08 Received TERM signal. Waiting up to 0s before terminating.

It seems like cloud_proxy_sql is not respecting the CA cert in gcloud config. How to configure the cert for cloud_proxy_sql?

Kannan Ramamoorthy
  • 3,980
  • 9
  • 45
  • 63

1 Answers1

0

The error message indicates that your client is not able to trust the certificate of https://www.googleapis.com.

This can happen due to:

  • The client does not know what root certificates to trust.

  • The outbound traffic is using a proxy server that is using a different, untrusted, certificate.

  • The 'ca-certificates.crt' file to be on /etc/ssl/certs, which is one of the locations some languages look for certificates.

I found more about this here: Failure to connect to proxy "Certificate signed by unknown authority"

Carlo C.
  • 79
  • 8
  • Thanks for the comment. I understand the problem. I would to like to pass ca cert to cloud_sql_proxy. Rephrased the questions to make it explicit. – Kannan Ramamoorthy Aug 19 '20 at 11:14
  • This is the closest I could find on GCP Documentation: https://cloud.google.com/sql/docs/mysql/diagnose-issues#occasional_connection_failures – Carlo C. Aug 20 '20 at 16:05