Re: Documentation seems to be wrong on connecting ...

nmlopes · 09-10-2023 04:57 AM

In this page, the instructions state the following:

But using my instance name yields the following error on `psql`:

psql: error: connection to server at "redacted", port redacted failed: server certificate for "redacted1" does not match host name "redacted2"

"redacted2" is the instance name (I tried both just the instance name and the instance connection name. Both yielded the error seen above.

I then tried my INSTANCE_UID (as found in the logs) and that made it work. My question is: is this a documentation bug or a CloudSQL bug? If it is a documentation bug, where can I find the instance uid (besides going into the logs) and can the documentation be fixed?

If there's another approach to this let me know (I can't use `verify-ca` in my environment, it has to be `verify-full`).

ms4446

The error you're encountering seems to stem from a mismatch between the server's certificate and the hostname you're using to connect. This could be due to the difference between the instance name and the instance connection name.

To address this, you have two options:

Use the instance connection name as the hostname.
Use the instance UID as the hostname.

To locate the instance UID, navigate to the Cloud Console and select the Instances tab. Click on your instance's name, and you'll find the instance UID in the Details section.

To connect using psql with the instance UID, use:

psql -h <instance-uid> -p <port> -U <username>

Alternatively, to connect using the instance connection name:

psql -h <instance-connection-name> -p <port> -U <username>

If you can't utilize the verify-ca option, you can opt for verify-full. Contrary to common misconceptions, verify-full offers a higher security level as it verifies both the server's certificate and its hostname.

I hope this clarifies things.

nmlopes

Thanks for replying - I get all that you said but I think my point was missed. The documentation seems to be wrong. That screenshot I present has `INSTANCE_NAME` being shown when using `verify-full` but that does not work.

Using `INSTANCE_UID` which is nowhere to be found, except in the labels section of the logs, is what needs to be used so that `verify-full` works.

My questions was: is this a documentation bug or a CloudSQL bug? If it is a documentation bug, where can I find the instance uid (besides going into the logs) and can the documentation be fixed?

From your reply it seems that it is only a documentation bug in which case my follow-up question/ask still stands:

> "If it is a documentation bug, where can I find the instance uid (besides going into the logs) and can the documentation be fixed?"

Hope that helps.

ms4446

Thanks for the clarification. You can locate the instance_UID in the Cloud Console by navigating to the Instances page and clicking on your instance's name. The UID will be displayed in the Instance details section.

The error message you're seeing indicates a mismatch between the server's certificate (redacted1) and the hostname you're using to connect (redacted2). In your specific case, it appears that using the INSTANCE_UID as the hostname resolves the issue. I will file a bug in the documentation on your behalf to state where you can find instance_UID. Thanks for reporting the issue.

nmlopes

Awesome. Do you mind me asking where in the details section it appears? In my own Cloud SQL dashboard, I can't find the INSTANCE_UID anywhere. I find connection name and others but not this.

ms4446

I apologize for the confusion. The INSTANCE_UID is not displayed in the Cloud SQL dashboard. To find the INSTANCE_UID, you can use the following methods:

gcloud sql instances describe INSTANCE_NAME

nmlopes

Apologies for keeping on this but I don't think that's the case. I can't find the INSTANCE_UID through the gcloud console either.

Documentation seems to be wrong on connecting to CloudSQL Postgres with verify-full