Cloud SQL Proxy SSL error: `certificate had CN "", expected "<project>:<region>:<instance>"` when connecting to PostgreSQL 14
We're encountering an issue with Cloud SQL Proxy (v1 and v2) when connecting to a newly created PostgreSQL 14 Cloud SQL instance via a Kubernetes deployment on GKE.
The error we see in the logs is:
certificate had CN "", expected "<project-id>:<region>:<instance-name>"
Context:
- We're using the Cloud SQL Auth Proxy sidecar container in our GKE deployment.
- The credentials JSON for a service account with the Cloud SQL Client role is correctly mounted and used via
-credential_file. - The instance connection string is correctly formatted.
- We’ve verified that the secret mounts and paths are accurate.
- The same setup works fine for an older PostgreSQL 11 instance.
Observations:
- Proxy starts and listens on
127.0.0.1:5432, but immediately fails on SSL handshake. - The error appears to be related to the certificate’s Common Name (CN) being empty or invalid.
- The username used to connect differs from the old instance (
proxyuser) vs. new one (postgres), but it's unclear if that's related.
What we've tried:
- Regenerating and rotating service account keys
- Verifying IAM permissions
- Ensuring secrets are properly mounted
- Running the proxy locally with the same credentials (same error)
Question:
What could cause the Cloud SQL Auth Proxy to reject the connection due to a CN "" certificate mismatch?
Is there a misconfiguration at the SSL level or something specific to PostgreSQL 14 instances?
We'd appreciate guidance on resolving this safely without exposing internal project data. Thanks in advance!