DigitalOcean

Report this

What is the reason for this report?
Question

Is CA_CERT available via the connection pool variable syntax in App Platform?

Posted on May 12, 2026
DigitalOcean Managed PostgreSQL Database
App Platform
fullammo

By fullammo

Dear Community!

We’re connecting to a Managed PostgreSQL database through a PgBouncer connection pool in App Platform. For most connection parameters we use the pool-scoped variable syntax:

${<db-name>.<pool-name>.HOSTNAME}
${<db-name>.<pool-name>.PORT}
${<db-name>.<pool-name>.USERNAME}
...

However, we also need to pass the CA certificate to verify TLS connections (rejectUnauthorized: true). The documentation lists CA_CERT as a bindable variable, but only shows it in the context of direct cluster references:

${<db-name>.CA_CERT}

The pool variable section only shows DATABASE_URL as an example, and CA_CERT is never mentioned there.

Our question: Does the pool-scoped syntax support CA_CERT? In other words, is ${<db-name>.<pool-name>.CA_CERT} a valid reference, or should we always use the cluster-level ${<db-name>.CA_CERT} for the certificate — even when connecting through a pool?

If CA_CERT is not available via the pool syntax, is the cluster-level reference still the right cert to use when the actual connection goes through PgBouncer?

Thanks for the answers in advance! Keep on Coding! Gulyas Bendeguz



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Bobby
Bobby
May 13, 2026

Hi there,

As far as I remember, the CA_CERT variable is tied to the database cluster, not the connection pool. The pool has its own hostname and port that routes through PgBouncer, but the TLS certificate being presented is still the cluster’s certificate. So ${<db-name>.CA_CERT} is the correct reference regardless of whether you are connecting through a pool or directly.

To be explicit: ${<db-name>.<pool-name>.CA_CERT} is not documented anywhere and based on how App Platform handles pool variables, it is unlikely to resolve correctly. Stick with the cluster-level reference:

${<db-name>.CA_CERT}

And use the pool-scoped variables for everything else:

${<db-name>.<pool-name>.HOSTNAME}
${<db-name>.<pool-name>.PORT}
${<db-name>.<pool-name>.USERNAME}

In your Node.js code it would look like this:

const pool = new Pool({
  host: process.env.POOL_HOSTNAME,
  port: process.env.POOL_PORT,
  user: process.env.POOL_USERNAME,
  password: process.env.POOL_PASSWORD,
  database: process.env.POOL_DATABASE,
  ssl: {
    rejectUnauthorized: true,
    ca: process.env.CA_CERT,
  }
});

That said, since the docs do not explicitly confirm this for the pool case, it is worth opening a support ticket to get an official confirmation, especially if you are building something production critical.

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Start building today

From GPU-powered inference and Kubernetes to managed databases and storage, get everything you need to build, scale, and deploy intelligent applications.

© 2026 DigitalOcean, LLC.Sitemap.
Dark mode is coming soon.