Question

Pass cert from managed Postgres to Digital Ocean app as ENV var.

I have a managed Postgres database from Digital Ocean (NOT the dev database you can spin up when creating an App component on the App Platform). I have a dockerized Node app (Koa).

Locally I can take the contents of the cert I get for that managed Postgres database and save it in a JSON file which I can then read in and add to a buffer to pass to Postgres (by way of TypeORM, which is using the pg driver I believe) and it works. I can also define an empty environment variable in a docker compose and pipe a cat of my cert to pbcoby cat ~/.ssl/ca-certificate.crt | pbcopy to define the environment variable and that works. Another way that works is when doing a docker-compose up I pass the environment variable as an argument then SSL_CERT=$(cat ~/.ssl/ca-certificate.crt) docker-compose -f docker-compose.live.yml up.

Basically I can connect to my live database locally by either running my app with ts-node and reading from a JSON file OR building a docker image passing the environment variables to a running container of that image (using docker-compose for this, though same result with command line arguments using docker directly).

When I run cat ~/.ssl/ca-certificate.crt | pbcopy and paste these contents into my environment variables for my Digital Ocean App component I get a SELF_SIGNED_CERT_IN_CHAIN error when the app runs and tries to connect to the database. I have also tried removing all new lines and pasting that in. I have also tried replacing all newlines found with regex with \n. I have also tried cat’ing out the file and copying it from the terminal and pasting that in. All the same result of SELF_SIGNED_CERT_IN_CHAIN.

I would rather not include my cert in the docker image - seems like a security issue. And I would prefer not to have to mount a volume and to provide the cert to the application by reading it in from the file system.

Is there some grooming Digital Ocean’s App platform is doing to environment variables?

What have y’all done to solve this?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

I solved this by base64 encoding the cert then just decoding it on application start up. The single line base64 value works regardless of the mechanism used to provide it to the docker image and obviously regardless of where the docker image runs.