DNS in CloudSQL wth private IP
941 views
Skip to first unread message
Neil Ghosh
Apr 26, 2022, 6:03:58 PM4/26/22
to Google Cloud SQL discuss
How do we set DNS in CloudSQL wiith private IP only. I am using the server cert from the CloudSQL instance but get the following error when using the private IP in nodejs code.
"code":"ERR_T │
│ LS_CERT_ALTNAME_INVALID","message":"Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN: <CloudSQL_Instance_NAME>"
│ LS_CERT_ALTNAME_INVALID","message":"Hostname/IP does not match certificate's altnames: Host: localhost. is not cert's CN: <CloudSQL_Instance_NAME>"
Understand the the private ip can be assigned a domain name but I have the following concern
- I don't own any domain, how do we use Cloud DNS to get a google domain subdomain or equivalent?
- PrivateIP will change when Instance edited i.e. when Network is changed, then Cloud DNS would point to wrong IP.
- As per the above error message its not clear which domain the certificate is minted for it just shows the fully qualified cloud SQL instance name.
I understand cloud SQL proxy is solution to everything related to ths but isn't really there any other option?
Kurtis Van Gent
Apr 27, 2022, 12:20:22 PM4/27/22
to Google Cloud SQL discuss
Hi Neil,
Connecting with TLS/SSL certificates without the Cloud SQL proxy is definitely supported.
I can't say for sure without more details, but it sounds like your driver is trying to fully-verify the certificate by making sure that the CN resolves to the same IP you are trying to correct with. I don't know which database engine you are using, but here is the postgres docs that explains this behavior:
Connecting with TLS/SSL certificates without the Cloud SQL proxy is definitely supported.
I can't say for sure without more details, but it sounds like your driver is trying to fully-verify the certificate by making sure that the CN resolves to the same IP you are trying to correct with. I don't know which database engine you are using, but here is the postgres docs that explains this behavior:
> Once a chain of trust has been established, there are two ways for the client to validate the leaf certificate sent by the server. If the parameter sslmode is set to verify-ca, libpq will verify that the server is trustworthy by checking the certificate chain up to the root certificate stored on the client. If sslmode is set to verify-full, libpq will also verify that the server host name matches the name stored in the server certificate. The SSL connection will fail if the server certificate cannot be verified. verify-full is recommended in most security-sensitive environments.
If you make sure your driver is using `sslmode=required` or `sslmode=verify-ca`, you should be able to connect without any issues. Here's an example configuring a TCP connection using TLS.
Hope that helps.
If you make sure your driver is using `sslmode=required` or `sslmode=verify-ca`, you should be able to connect without any issues. Here's an example configuring a TCP connection using TLS.
Hope that helps.
Reply all
Reply to author
Forward
0 new messages