SSL_ERROR_CERTIFICATE_EXPIRED cloud config_error ai_generated true

Error: SSL connection error: SSL certificate has expired

ID: cloud/gcp-cloud-sql-ssl-expired

Also available as: JSON · Markdown · 中文
88%Fix Rate
85%Confidence
1Evidence
2024-03-15First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
Cloud SQL Proxy 2.11.0 active
MySQL 8.0 active
PostgreSQL 15 active

Root Cause

The client SSL certificate for Cloud SQL has expired, causing all encrypted connections to be rejected by the server.

generic

中文

Cloud SQL 的客户端 SSL 证书已过期,导致所有加密连接被服务器拒绝。

Official Documentation

https://cloud.google.com/sql/docs/mysql/configure-ssl-instance

Workarounds

  1. 95% success Generate a new client certificate using gcloud: gcloud sql ssl client-certs create client-cert.pem --instance=INSTANCE_NAME && gcloud sql ssl client-certs describe INSTANCE_NAME --cert-file=client-cert.pem 
    Generate a new client certificate using gcloud: gcloud sql ssl client-certs create client-cert.pem --instance=INSTANCE_NAME && gcloud sql ssl client-certs describe INSTANCE_NAME --cert-file=client-cert.pem
  2. 90% success Update the application to use the new certificate files (client-cert.pem, client-key.pem) and restart the application. 
    Update the application to use the new certificate files (client-cert.pem, client-key.pem) and restart the application.
  3. 85% success Set up automatic certificate rotation using a cron job or Cloud Scheduler to run gcloud sql ssl client-certs create monthly. 
    Set up automatic certificate rotation using a cron job or Cloud Scheduler to run gcloud sql ssl client-certs create monthly.

中文步骤

  1. 使用 gcloud 生成新的客户端证书:gcloud sql ssl client-certs create client-cert.pem --instance=INSTANCE_NAME && gcloud sql ssl client-certs describe INSTANCE_NAME --cert-file=client-cert.pem
  2. 更新应用程序以使用新证书文件(client-cert.pem、client-key.pem)并重启应用程序。
  3. 通过 cron 作业或 Cloud Scheduler 设置自动证书轮换,每月运行 gcloud sql ssl client-certs create。

Dead Ends

Common approaches that don't work:

  1. 95% fail

    Restarting does not renew expired SSL certificates; they are time-bound and must be regenerated.

  2. 80% fail

    Disabling SSL verification bypasses security but does not fix the expired certificate; the server still rejects the connection.

  3. 90% fail

    Timeout adjustments do not resolve authentication or certificate validation failures.