dtr32221 2018-10-09 03:24
浏览 141
已采纳

无法连接到代理“由未知授权机构签名的证书”

I'm attempting to connect to a CloudSQL instance via a cloudsql-proxy container on my Kubernetes deployment. I have the cloudsql credentials mounted and the value of GOOGLE_APPLICATION_CREDENTIALS set.

However, I'm still receiving the following error in my logs:

2018/10/08 20:07:28 Failed to connect to database: Post https://www.googleapis.com/sql/v1beta4/projects/[projectID]/instances/[appName]/createEphemeral?alt=json&prettyPrint=false: oauth2: cannot fetch token: Post https://oauth2.googleapis.com/token: x509: certificate signed by unknown authority

My connection string looks like this: 

[dbUser]:[dbPassword]@cloudsql([instanceName])/[dbName]]?charset=utf8&parseTime=True&loc=Local

And the proxy dialer is shadow-imported as:

_ github.com/GoogleCloudPlatform/cloudsql-proxy/proxy/dialers/mysql

Anyone have an idea what might be missing?

EDIT:

Deployment Spec looks something like this (JSON formatted):

{
  "replicas": 1,
  "selector": {
    ...
  },
  "template": {
    ...
    "spec": {
      "containers": [
        {
          "image": "[app-docker-imager]",
          "name": "...",
          "env": [
            ...
            {
              "name": "MYSQL_PASSWORD",
              ...
            },
            {
              "name": "MYSQL_USER",
              ...
            },
            {
              "name": "GOOGLE_APPLICATION_CREDENTIALS",
              "value": "..."
            }
          ],

          "ports": [
            {
              "containerPort": 8080,
              "protocol": "TCP"
            }
          ],
          "volumeMounts": [
            {
              "mountPath": "/secrets/cloudsql",
              "name": "[secrets-mount-name]",
              "readOnly": true
            }
          ]
        },
        {
          "command": [
            "/cloud_sql_proxy",
            "-instances=...",
            "-credential_file=..."
          ],
          "image": "gcr.io/cloudsql-docker/gce-proxy:1.11",
          "name": "...",
          "ports": [
            {
              "containerPort": 3306,
              "protocol": "TCP"
            }
          ],
          "volumeMounts": [
            {
              "mountPath": "/secrets/cloudsql",
              "name": "[secrets-mount-name]",
              "readOnly": true
            }
          ]
        }
      ],
      "volumes": [
        {
          "name": "[secrets-mount-name]",
          "secret": {
            "defaultMode": 420,
            "secretName": "[secrets-mount-name]"
          }
        }
      ]
    }
  }
}
  • 写回答

1条回答 默认 最新

  • dongpeixiong5943 2018-10-10 20:56
    关注

    The error message indicates that your client is not able to trust the certificate of https://www.googleapis.com. There are two possible causes for this:

    1. Your client does not know what root certificates to trust. The official cloudsql-proxy docker image includes root certificates, so if you are using that image, this is not your problem. If you are not using that image, you should (or at least install ca certificates in your image).

    2. Your outbound traffic is being intercepted by a proxy server that is using a different, untrusted, certificate. This might be malicious (in which case you need to investigate who is intercepting your traffic). More benignly, you might be in a organization using an outbound proxy to inspect traffic according to policy. If this is the case, you should build a new docker image that includes the CA certificate used by your organization's outbound proxy.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 keil的map文件中Image component sizes各项意思
  • ¥30 BC260Y用MQTT向阿里云发布主题消息一直错误
  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据
  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 Centos / PETGEM
  • ¥15 划分vlan后不通了
  • ¥20 用雷电模拟器安装百达屋apk一直闪退
  • ¥15 算能科技20240506咨询(拒绝大模型回答)