Hi all,
please explain this to me... To simplify my question... I have configured Cloud SQL Postgresql instance in the following way:
- I have whitelisted my IP (in the authorization tab)
- I have created ssl client certificate 'foo' (in the ssl tab) and downloaded foo-client-cert.pem and foo-client-cert.pem
- I have created ssl client certificate 'bar' (in the ssl tab) and downloaded bar-client-cert.pem and bar-client-cert.pem and then I deleted this client certificate (in the ssl tab)
- I have also downloaded server-ca.pem
Now,
psql "sslmode=verify-full sslrootcert=keys/server-ca.pem sslcert=keys/foo-client-cert.pem sslkey=keys/foo-client-key.pem hostaddr=xx.xx.xx.xx port=xxxx user=xxxx dbname=xxxx host=xxxx"
works as expected -- ssl connection established
psql "sslmode=verify-full sslrootcert=keys/server-ca.pem sslcert=keys/bar-client-cert.pem sslkey=keys/bar-client-key.pem hostaddr=xx.xx.xx.xx port=xxxx user=xxxx dbname=xxxx host=xxxx"
works as expected -- not connecting, giving the following
psql: SSL error: tlsv1 alert unknown ca
psql "sslmode=verify-full sslrootcert=keys/server-ca.pem hostaddr=xx.xx.xx.xx port=xxxx user=xxxx dbname=xxxx host=xxxx"
without supplying sslcert nor sslkey also establishes the ssl connection
This would be consistent with the documentation on
https://cloud.google.com/sql/docs/postgres/connect-admin-ip stating that "The sslcert and sslkey parameters are optional.", but at this moment I don't understand why this works. I.e. you cannot use the deleted 'bar' public/private key pair, however you can connect using (indirectly) some default, system configuration specific, postgres public/private key pair. Am I missing something?
Best regards,
s