Report this

What is the reason for this report?

Persistent 'SELF_SIGNED_CERT_IN_CHAIN' Error on Managed PostgreSQL Connection

Posted on October 1, 2025

Hello DigitalOcean Support Team,

I am experiencing a persistent issue connecting my Bun/Elysia backend application, deployed on the DigitalOcean App Platform, to my Managed PostgreSQL Database.

The application successfully builds and deploys, but any attempt to connect to the database (specifically during the sign-in/login route when a query is executed) fails with a security error.

Error Details

The application logs repeatedly show the following error, which originates from the pg-pool layer of the database driver:

error: self signed certificate in certificate chain
code: "SELF_SIGNED_CERT_IN_CHAIN"

Steps Already Taken to Resolve

Based on your documentation and standard PostgreSQL practice, I have already attempted the following solutions, but the error remains:

  1. SSL Configuration in Code: Explicitly setting rejectUnauthorized: false within the database connection pool configuration (src/db/client.ts).

  2. Environment Variable Override: Setting the global environment variable NODE_TLS_REJECT_UNAUTHORIZED=0 in the App Platform settings.

  3. Connection String Override: Appending the parameters ?sslmode=require&rejectUnauthorized=0 directly to the DATABASE_URL environment variable.

  4. CA Certificate Injection: I attempted to pass the downloaded CA certificate string to the driver’s ssl.ca property (both directly and encoded in Base64), but this also failed to resolve the chain validation error.

Request for Assistance

Since all application-level solutions have failed, it suggests the issue may be related to the way the PgBouncer (the connection pooler) is configured on the Managed Database side, or a specific requirement for the trusted certificate chain that is not being satisfied in the App Platform environment.

Could you please assist in troubleshooting the PostgreSQL connection? Specifically, I need to know:

  • Is there a unique method for passing the required SSL configuration when connecting from a DigitalOcean App to a Managed Database?

  • Are there any firewall rules or specific CA chain details that might be missing from the standard environment?

Thank you for your prompt attention to this critical issue.

Best regards,

Renaldy Sousa / renaldy.sousa@gmail.com



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hi there,

When you attach a Managed PostgreSQL database to your App Platform service, DigitalOcean automatically injects the required environment variables, including DATABASE_URL and DATABASE_CA_CERT.

You don’t need to download anything manually. Instead of bundling the certificate file in your repo, you can reference DATABASE_CA_CERT directly in your code, for example:

const pool = new Pool({
  connectionString: process.env.DATABASE_URL,
  ssl: {
    rejectUnauthorized: true,
    ca: process.env.DATABASE_CA_CERT,
  },
});

This avoids filesystem issues and is the recommended way to connect from App Platform.

There’s also a helpful thread with more details here: https://www.digitalocean.com/community/questions/how-to-add-ssl-certificate-to-app-platform-environment-variables-in-order-to-connect-to-managed-database

SSL can’t be disabled for DigitalOcean Managed Databases, it’s always enforced.

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.