Cloud SQL Proxy SSL error: `certificate had CN "", expected "<project>:<region>:<instance>"` when connecting to PostgreSQL 14

We're encountering an issue with Cloud SQL Proxy (v1 and v2) when connecting to a newly created PostgreSQL 14 Cloud SQL instance via a Kubernetes deployment on GKE.

The error we see in the logs is:

certificate had CN "", expected "<project-id>:<region>:<instance-name>"

Context:

  • We're using the Cloud SQL Auth Proxy sidecar container in our GKE deployment.
  • The credentials JSON for a service account with the Cloud SQL Client role is correctly mounted and used via -credential_file.
  • The instance connection string is correctly formatted.
  • We’ve verified that the secret mounts and paths are accurate.
  • The same setup works fine for an older PostgreSQL 11 instance.

Observations:

  • Proxy starts and listens on 127.0.0.1:5432, but immediately fails on SSL handshake.
  • The error appears to be related to the certificate’s Common Name (CN) being empty or invalid.
  • The username used to connect differs from the old instance (proxyuser) vs. new one (postgres), but it's unclear if that's related.

What we've tried:

  • Regenerating and rotating service account keys
  • Verifying IAM permissions
  • Ensuring secrets are properly mounted
  • Running the proxy locally with the same credentials (same error)

Question:

What could cause the Cloud SQL Auth Proxy to reject the connection due to a CN "" certificate mismatch?
Is there a misconfiguration at the SSL level or something specific to PostgreSQL 14 instances?

We'd appreciate guidance on resolving this safely without exposing internal project data. Thanks in advance!

It seems Cloud SQL Auth Proxy failed to set up proxy connections to the instance. It is likely because the language connectors/ auth proxy version is too old. Have you tried upgrading your Cloud SQL proxy version? If you are using Cloud SQL Auth Proxy, make sure you are using the most recent version, see keeping the Cloud SQL Auth Proxy up to date.

You can also check this documentation about Requirements for using the Cloud SQL Auth Proxy, it mentions connections to Cloud SQL instances using (shared/ customer-managed) Certificate Authority (CA) with the recommended Cloud SQL Auth Proxy version.

If upgrading the proxy version doesn't work for you and if you have a support package, I would recommend you getting help through reaching out to Google Cloud Support for a more in-depth analysis of your issue.

I have a similar issue with the error message : Cloud SQL connection failed. Please see https://cloud.google.com/sql/docs/mysql/connect-run for additional details: certificate had CN "", expected "<project_id>:<instance_id>"

I have a simple setup where I deploy my Ruby backend API on a Cloud RUN Service using an artifact, and I connect it to a PostgreSQL database on Cloud SQL. I try to connect both through a UNIX socket as it seems to be the correct way to do it (rather than TCP).

In my Cloud Run configuration, I specifically selected the database instance to automatically establish the socket in the background (according to Google Cloud documentation). According to the documentation, I'm not supposed to setup a Cloud Auth Proxy with this setup, however, I can't make it work, the connection always fails.

Back to Top