Enable “Allow only SSL connection” for Google Cloud SQL instance and connect to it from SSL-configured Spring application

Question

I have Spring application which is running on Tomcat(7.0.68) at my local machine that uses Google Cloud MySQL instance . Also I am using C3P0(0.9.1.2) as a connection pool. You can find a part of the DAOcontext.xml file and CATALINA_OPTS below:

....
<bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource">
        <property name="driverClass" value="com.mysql.jdbc.Driver"/>
        <property name="jdbcUrl" value="jdbc:mysql://sql_instance_ip:3306/table_name?verifyServerCertificate=true&useSSL=true&requireSSL=true&trustCertificateKeyStoreUrl=file:/path/to/trustStore.jks&trustCertificateKeyStorePassword=****&characterEncoding=UTF-8&useUnicode=true&autoReconnect=true&useServerPrepStmts=false&rewriteBatchedStatements=true&failOverReadOnly=false&zeroDateTimeBehavior=convertToNull"/>
        <property name="user" value="***"/>
        <property name="password" value="****"/>
        <property name="acquireIncrement" value="1"/>
        <property name="initialPoolSize" value="1"/>
        <property name="minPoolSize" value="1"/>
        <property name="maxPoolSize" value="5"/>
        <property name="maxIdleTime" value="120"/>
</bean>
...

CATALINA_OPTS="... -Djavax.net.ssl.keyStore=/path/to/keyStore.jks -Djavax.net.ssl.keyStorePassword=**** ..."

fyi,these key stores are created from my SQL instance's certificate and my local IP is whitelisted for this MySQL instance. https://cloud.google.com/sql/docs/mysql/configure-ssl-instance

When I disable "Allow only SSL connection" option from dashboard, my application runs without any DB connection problem. Also when I check connection between my application and SQL instance via WireShark, I see that packets are SSL encrypted.

When I enable this option, my tomcat application gives these errors:

May 07, 2018 5:02:49 PM com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource getPoolManager
INFO: Initializing c3p0 pool... com.mchange.v2.c3p0.ComboPooledDataSource [ acquireIncrement -> 1, acquireRetryAttempts -> 30, acquireRetryDelay -> 1000, autoCommitOnClose -> false, automaticTestTable -> null, breakAfterAcquireFailure -> false, checkoutTimeout -> 0, connectionCustomizerClassName -> null, connectionTesterClassName -> com.mchange.v2.c3p0.impl.DefaultConnectionTester, dataSourceName -> z8kfsx9u1h2ypospw6bfm|37fcf007, debugUnreturnedConnectionStackTraces -> false, description -> null, driverClass -> com.mysql.jdbc.Driver, factoryClassLocation -> null, forceIgnoreUnresolvedTransactions -> false, identityToken -> z8kfsx9u1h2ypospw6bfm|37fcf007, idleConnectionTestPeriod -> 0, initialPoolSize -> 1, jdbcUrl -> jdbc:mysql://sql_instance_ip:3306/table_name?verifyServerCertificate=true&useSSL=true&requireSSL=true&trustCertificateKeyStoreUrl=file:/path/to/trustStore.jks&trustCertificateKeyStorePassword=****&characterEncoding=UTF-8&useUnicode=true&autoReconnect=true&useServerPrepStmts=false&rewriteBatchedStatements=true&failOverReadOnly=false&zeroDateTimeBehavior=convertToNull"/, maxAdministrativeTaskTime -> 0, maxConnectionAge -> 0, maxIdleTime -> 120, maxIdleTimeExcessConnections -> 0, maxPoolSize -> 5, maxStatements -> 0, maxStatementsPerConnection -> 0, minPoolSize -> 1, numHelperThreads -> 3, numThreadsAwaitingCheckoutDefaultUser -> 0, preferredTestQuery -> null, properties -> {user=******, password=******}, propertyCycle -> 0, testConnectionOnCheckin -> false, testConnectionOnCheckout -> false, unreturnedConnectionTimeout -> 0, usesTraditionalReflectiveProxies -> false ]
May 07, 2018 5:03:09 PM com.mchange.v2.async.ThreadPoolAsynchronousRunner$DeadlockDetector run
WARNING: com.mchange.v2.async.ThreadPoolAsynchronousRunner$DeadlockDetector@274517d0 -- APPARENT DEADLOCK!!! Creating emergency threads for unassigned pending tasks!
May 07, 2018 5:03:09 PM com.mchange.v2.async.ThreadPoolAsynchronousRunner$DeadlockDetector run
WARNING: com.mchange.v2.async.ThreadPoolAsynchronousRunner$DeadlockDetector@274517d0 -- APPARENT DEADLOCK!!! Complete Status:
    Managed Threads: 3
    Active Threads: 3
    Active Tasks:
        com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@68bff773 (com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#1)
        com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@67cb9623 (com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#2)
        com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@599d5f2f (com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#0)
    Pending Tasks:
        com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@1f0360c0
        com.mchange.v2.resourcepool.BasicResourcePool$AcquireTask@890083c
Pool thread stack traces:
    Thread[com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread-#1,5,main]
        java.lang.Thread.sleep(Native Method)
        com.mysql.jdbc.ConnectionImpl.connectWithRetries(ConnectionImpl.java:2376)
        com.mysql.jdbc.ConnectionImpl.createNewIO(ConnectionImpl.java:2306)
        com.mysql.jdbc.ConnectionImpl.<init>(ConnectionImpl.java:834)
        com.mysql.jdbc.JDBC4Connection.<init>(JDBC4Connection.java:47)
        sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
....

These error logs are not specific to this issue but they are similar to those I got when my application are not able to connect DB. Do you have any idea or advice about this issue? Is there anyone who use similar setup and encountered this problem?

Any kind of help and suggestion is highly appreciated!

Answer 1

It seems like a configuration problem. I recommend you following all the steps described in the official documentation again and checking if your server certificate is still valid.

As a workaround I suggest the possibility of using Cloud SQL proxy .