Question

What is the correct environment variable format to get my managed db's CA cert value?

I have an Express.js app trying to connect to a managed Postgres db. However the connection fails with the following cert error:

ERROR (16): Database connection failed
err: {
"type": "Error",
"message": "self-signed certificate in certificate chain",
"stack":
Error: self-signed certificate in certificate chain
at TLSSocket.onConnectSecure (node:_tls_wrap:1677:34)
at TLSSocket.emit (node:events:519:28)
at TLSSocket._finishInit (node:_tls_wrap:1076:8)
at ssl.onhandshakedone (node:_tls_wrap:862:12)
"code": "SELF_SIGNED_CERT_IN_CHAIN"
}

After some searching it looks like I need to pass in the db’s cert when configuring the connection:

export const db = pgp({
  connectionString: DB_CONNECTION_STR,
  connect_timeout: 15000, // 15 seconds
  ssl: {
    rejectUnauthorized: true,
    ca: process.env.CA_CERT,
  },
});

I also created an environment variable that mapped the value of ${<my-db-name>.CA_CERT} to CA_CERT as described in this article: https://docs.digitalocean.com/products/app-platform/how-to/use-environment-variables/#databases

I replaced <my-db-name> with the name of my managed Postgres instance. When creating the db, I just went with the autogenerated name. This is not my actual db’s name, but it has the same format: db-postgresql-sfo-1000

However, I can’t get the value of the ${db-postgresql-sfo-1000.CA_CERT} expression to evaluate to the correct value. When I write process.env.CA_CERT out to console log I get back the string ‘${db-postgresql-sfo-1000.CA_CERT}’. My guess is that the db name part of the value is not correct. The autogenerated name has hyphens so I tried underscores, but that didn’t help. How can I find what the right value for the ${<my-db-name>.CA_CERT} expression is that I should use?


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
October 27, 2024

Hi there,

Are you doing this during the build process or during the run stage?

Keep in mind that Database values are not available during build time but are available at runtime as mentioned here in the docs:

https://docs.digitalocean.com/products/app-platform/how-to/use-environment-variables/#databases

If this is not the case, there has been a similar discussion here about the same use-case:

https://www.digitalocean.com/community/questions/how-to-use-_self-ca_cert-in-when-accessing-postgres-db-from-nodejs-app

The solution that the user mentioned was to switch to using Pool from pg:

export const pool = new Pool({
    user: process.env.DB_USERNAME,
    host: process.env.DB_HOSTNAME,
    database: process.env.DATABASE,
    password: process.env.DB_PASSWORD,
    port: Number(process.env.DB_PORT),
    ssl: {
       rejectUnauthorized: true,
       ca: process.env.CA_CERT,
    },
})

Let me know how it goes!

- Bobby

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more