This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

cannot create a connection profile for Cloud SQL Postgres with private IP address and SSL enabled

Posted on 09-18-2023 06:29 AM
qyuand456
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello,

I am trying to create a data stream to sync postgres db in cloud sql and insert them to google big query. My existing database is deployed with private and pubic IPs enabled. And SSL is also enforced.

I have done the following to connect using the private IP addresses but getting the following error.

 

 

 

FATAL:  connection requires a valid client certificate
FATAL:  pg_hba.conf rejects connection for host "10.132.0.11" user "datastream_user" database "postgres" no encryption

 

 

 

 I have created a VPC peering and also set up a reverse proxy as mentioned here. 
https://cloud.google.com/datastream/docs/private-connectivity#reverse-csql-proxy

I can telnet to the postgres from the reverse proxy as well. I assume the problem is that I need to add the certificate as I have enforced SSL. 

How can i solve this problem? Help is highly appreciated .

Thanks

Solved Solved
0 5 5,489
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ms4446
Staff
In response to qyuand456
Reply posted on --/--/---- --:-- AM

I apologize for the oversight. You're correct. As of now, Google Cloud Datastream does not support the addition of a client certificate and private key for PostgreSQL connections.

In the meantime, here are a few potential workarounds:

  1. Reverse Proxy Configuration: Ensure that your reverse proxy is correctly set up to forward connections to the PostgreSQL instance. If you've enforced SSL on your PostgreSQL instance, consider temporarily disabling it to see if Datastream can connect without SSL.

  2. Cloud SQL Auth Proxy: You can use the Cloud SQL Auth proxy to provide a secure connection to your Cloud SQL instance without the need for SSL/TLS certificates. The Auth proxy opens a local port on your machine, and any connection to this local port is securely forwarded to the Cloud SQL instance. This method uses IAM for authentication, ensuring a secure connection without the complexities of managing SSL certificates.

  3. Custom Proxy: While it's possible to set up a custom proxy that can handle client certificates and private keys, this approach can be complex and might introduce additional maintenance overhead.

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5