How to setup DataGrip connect Cloud SQL with SSL mode through Tunnel using DataGrip

Question

I am a newbie for Cloud SQL and Cloud Security. So now I already use Cloud SQL and connect to the database with Compute Engine. I use it as a proxy server and use for remote connect from my local machine.

And then I need to use SSL connection try to create new client certificates and it was OK if I connect from my proxy server.

But not work when I try to connect from the local machine using DataGrip. I got an error message.

Connection to postgres@database-server failed. [08006] Could not open SSL root certificate file /home/user/.postgresql/root.crt.

Answer 1

At the moment, to work properly using SSL you need to configure DataGrip in the following way.

1. Go to SSH/SSL tab
2. Enable SSL and provide paths to CA cert, client cert & client private key
3. Go to Advanced tab
4. Find sslmode property and set desired verification level, eg verify-ca
5. Find sslrootcert property and provide path to your ca.cert

Furthermore, did you put your root.crt to /home/user/.postgresql/root.crt ?

Also, if to refer to https://cloud.google.com/sql/docs/postgres/connect-admin-ip#connect-ssl use the following parameters:

sslmode=verify-ca

sslrootcert=/path/to/your/server-ca.pem

ca file=/path/to/your/server-ca.pem

client certificate file=/path/to/your/client-cert.pem

client key file=/path/to/your/client-key.pem

Answer 2

This is caused by a change in the Postgres JDBC driver after version 42.2.2. Subsequent versions treat ssl=true to also be sslmode=verify-ca while also introducing a change that causes the default SSLFactory to not recognize the JRE cacerts .

To resolve this, either revert to driver 42.2.2 or set the sslfactory to org.postgresql.ssl.DefaultJavaSSLFactory

There is also a GitHub issue https://github.com/pgjdbc/pgjdbc/issues/1307