# Error: SSL connection error: SSL certificate has expired

- **ID:** `cloud/gcp-cloud-sql-ssl-expired`
- **Domain:** cloud
- **Category:** config_error
- **Error Code:** `SSL_ERROR_CERTIFICATE_EXPIRED`
- **Verification:** ai_generated
- **Fix Rate:** 88%

## Root Cause

The client SSL certificate for Cloud SQL has expired, causing all encrypted connections to be rejected by the server.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| Cloud SQL Proxy 2.11.0 | active | — | — |
| MySQL 8.0 | active | — | — |
| PostgreSQL 15 | active | — | — |

## Workarounds

1. **Generate a new client certificate using gcloud: gcloud sql ssl client-certs create client-cert.pem --instance=INSTANCE_NAME && gcloud sql ssl client-certs describe INSTANCE_NAME --cert-file=client-cert.pem** (95% success)
   ```
   Generate a new client certificate using gcloud: gcloud sql ssl client-certs create client-cert.pem --instance=INSTANCE_NAME && gcloud sql ssl client-certs describe INSTANCE_NAME --cert-file=client-cert.pem
   ```
2. **Update the application to use the new certificate files (client-cert.pem, client-key.pem) and restart the application.** (90% success)
   ```
   Update the application to use the new certificate files (client-cert.pem, client-key.pem) and restart the application.
   ```
3. **Set up automatic certificate rotation using a cron job or Cloud Scheduler to run gcloud sql ssl client-certs create monthly.** (85% success)
   ```
   Set up automatic certificate rotation using a cron job or Cloud Scheduler to run gcloud sql ssl client-certs create monthly.
   ```

## Dead Ends

- **** — Restarting does not renew expired SSL certificates; they are time-bound and must be regenerated. (95% fail)
- **** — Disabling SSL verification bypasses security but does not fix the expired certificate; the server still rejects the connection. (80% fail)
- **** — Timeout adjustments do not resolve authentication or certificate validation failures. (90% fail)