在Google Cloud和Cloud SQL之间设置SSL [英] Set up SSL between Google Cloud and Cloud SQL

问题描述

我在GCP Compute Engine上有一个WordPress网站，并在Cloud SQL上托管了一个数据库，效果很好.我唯一的问题是，每当我在GCP仪表板上选择仅允许SSL连接"时，该站点就无法连接到数据库，并且出现连接数据库时出错"错误.

I've got a WordPress site on GCP Compute Engine and a database which is hosted on Cloud SQL, which works great. My only issue is every time I select "Allow only SSL connections" on the GCP dashboard the site can't connect to the database and I get "Error connecting to database" error.

我已经下载了Google在创建SQL实例时提供的所有SSL(.pem)文件.遵循了约翰·汉利(John Hanley)的指示 https://github.com/jhanley-com/wordpress- cloud-sql ，一旦我打开SSL，它仍然会中断.

I have downloaded all the SSL (.pem) files that Google provided when creating the SQL instance. Have followed instructions by John Hanley https://github.com/jhanley-com/wordpress-cloud-sql, as soon as I turn SSL on and it still breaks.

我也有用于网站和Cloudflare设置的Comodo SSL，不确定是否与此有关.

I also have Comodo SSL for the site and Cloudflare setup, unsure if that has anything to do with it.

也一直在研究Cloud SQL代理，但是不确定如何设置它，或者它是否比上述解决方案更好或更糟...

Have also been looking at Cloud SQL Proxy but unsure how to set that up or if it's better or worse than the above solution...

约翰·汉利(John Hanley)指示他提出一个新问题，以便他可以提供帮助.

Have been instructed by John Hanley to create a new question so he can assist.

谢谢.

推荐答案

创建新的客户端证书[1]时，系统会要求您下载三个文件(server-ca.pem，client-cert.pem，client- key.pem)是--ssl-ca，-ssl-cert和--ssl-key命令选项的值

When you create a new client certificate [1] the three files you are asked to download (server-ca.pem, client-cert.pem, client-key.pem) are the values for the --ssl-ca, --ssl-cert, and --ssl-key command options

例如:mysql --ssl-ca = server-ca.pem --ssl-cert = client-cert.pem --ssl-key = client-key.pem --host = [instance-ip]- user = root --password

E.g: mysql --ssl-ca=server-ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem --host=[instance-ip] --user=root --password

如果找不到它们，您将收到以下错误:SSL连接错误:SSL_CTX_set_default_verify_paths失败错误.

If it cannot find them you will receive errors such as: SSL connection error: SSL_CTX_set_default_verify_paths failed error.

这些文件必须存在于正在运行命令的VM目录中，实例才能验证要连接的凭据.记住要激活仅安全连接(SSL连接).

Those files will have to be present in the VM directory the command is being run for the Instance to verify the credentials to connect. Remember to have Only secured connection (SSL connection) activated for it to work.

请记住，Compute Engine实例应与Cloud SQL实例位于同一区域. 请继续尝试此示例，以消除配置错误的可能性[1].

Bear in mind that the Compute Engine instance should be in the same region with your Cloud SQL instance. Please proceed and try this example, in order to eliminate the possibility of misconfiguration[1].

如果仍然出现错误，请告诉我们您如何执行SSL连接? 看起来像是遵循Google的文档[2]，对吗?如果是这样，您是否通过控制台，gcloud命令或cURL做到了?

If you still get error, tell us how how did you enforce the SSL connections? Looks like follow Google’s documentation about it [2], right? If so, did you do it through the console, gcloud command or cURL?

关于Cloud SQL代理[3]，您可以访问Cloud SQL第二代实例，而不必将IP地址列入白名单或配置SSL.

About the Cloud SQL Proxy [3] is an option to access your Cloud SQL Second Generation instances without having to whitelist IP addresses or configure SSL.

此致

[1]- https://cloud.google.com /sql/docs/mysql/connect-compute-engine [2]- https://cloud.google. com/sql/docs/mysql/configure-ssl-instance#enforcing-ssl [3]- https://cloud. google.com/sql/docs/mysql/connect-compute-engine#gce-connect-proxy

[1] - https://cloud.google.com/sql/docs/mysql/connect-compute-engine [2] - https://cloud.google.com/sql/docs/mysql/configure-ssl-instance#enforcing-ssl [3] - https://cloud.google.com/sql/docs/mysql/connect-compute-engine#gce-connect-proxy

这篇关于在Google Cloud和Cloud SQL之间设置SSL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！