After upgrading to OTP 28, my app can no longer connect to the database with SSL. I see
Certificate Unknownorfailed_to_decode_certificateerrors.
OTP 28 introduced stricter SSL host verification requirements. Databases created before this change connect over an IP address, and performing SSL host verification against an IP address does not satisfy the new OTP 28 requirements.
Symptoms
After upgrading to OTP 28 (Elixir 1.19+), you may see errors like:
(DBConnection.ConnectionError) ssl connect: TLS client: In state wait_cert
generated CLIENT ALERT: Fatal - Certificate Unknown
{failed_to_decode_certificate, ...}
This happens regardless of whether you use verify: :verify_none or verify: :verify_peer.
Solutions
Option 1: Downgrade to OTP 27 (temporary)
Temporarily run OTP 27 or earlier in your elixir_buildpack.config. This restores the original SSL behavior while you plan a permanent fix.
erlang_version=27.x
Option 2: Use Cloud SQL Auth Proxy (recommended, no downtime)
The Cloud SQL Auth Proxy allows your application to connect securely through a private network without using public IP addresses. Your app connects to a local proxy which handles SSL to the database.
- The proxy runs alongside your application replicas.
- Consumes approximately 200 MB of additional memory per replica.
- Adds a $10/month charge per replica for the additional resources.
- Eliminates the need for public IP-based SSL entirely.
To set this up, contact support and we will configure the proxy for your application.
You can read more about Cloud SQL Auth Proxy in the Google Cloud documentation.
Option 3: Migrate to a new database (permanent fix, requires downtime)
We can create a new database with SSL certificates compatible with OTP 28’s requirements and migrate your data.
- Requires approximately 10-30 minutes of downtime.
- We perform an on-demand backup and restore into the new database.
- After migration, OTP 28 SSL connections work normally.
To schedule a migration, contact support and we will coordinate a time that works for you.
Recommendation
For most customers, we recommend Option 2 (Cloud SQL Auth Proxy) as it requires no downtime, adds a layer of security, and can be combined with Option 3 later for a complete solution.