diff --git a/cgat.Dockerfile b/cgat.Dockerfile
index 9ee40dd3e34912edc4ae9913b8cc093016944841..4fd82fc22b78f098bc420f4ad51d2c00608e0c0c 100644
--- a/cgat.Dockerfile
+++ b/cgat.Dockerfile
@@ -5,10 +5,15 @@ WORKDIR /src
 COPY . .
 
 RUN go mod tidy
-RUN go build -o pggat ./cmd/cgat
+RUN go build -o cgat ./cmd/cgat
 
 FROM alpine:latest
 WORKDIR /bin
-COPY --from=GOBUILDER /src/pggat pggat
+RUN addgroup -S pgbouncer && adduser -S pgbouncer && mkdir -p /etc/pgbouncer /var/log/pgbouncer /var/run/pgbouncer
+COPY --from=GOBUILDER /src/cgat.sh run.sh
+COPY --from=GOBUILDER /src/cgat pggat
+RUN apk add openssl
+RUN chown -R pgbouncer:pgbouncer /var/log/pgbouncer /var/run/pgbouncer /etc/pgbouncer /etc/ssl/certs
+USER pgbouncer:pgbouncer
 
-ENTRYPOINT ["/bin/pggat"]
+ENTRYPOINT ["/bin/run.sh"]
diff --git a/cgat.sh b/cgat.sh
new file mode 100644
index 0000000000000000000000000000000000000000..9e455f717f9609e2c7d1d0416606f46c24bdb104
--- /dev/null
+++ b/cgat.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+openssl req -nodes -new -x509 -subj '/CN=spilo.dummy.org' -keyout /etc/ssl/certs/pgbouncer.key -out /etc/ssl/certs/pgbouncer.crt
+/bin/pggat
diff --git a/lib/gat/acceptor.go b/lib/gat/acceptor.go
index bccea393089ccb0c932659cff481ed742ba4be49..803a3256ca4ff5f008e9c53104590330b2c627dd 100644
--- a/lib/gat/acceptor.go
+++ b/lib/gat/acceptor.go
@@ -80,10 +80,12 @@ func Serve(acceptor Acceptor, pools Pools) error {
 	for {
 		conn, acceptParams, err := acceptor.Accept()
 		if err != nil {
+			// log.Println("error accepting", err)
 			continue
 		}
 		go func() {
 			_ = serve(conn, acceptParams, pools)
+			// log.Println("error serving", err)
 		}()
 	}
 }
diff --git a/lib/gat/modes/pgbouncer/config.go b/lib/gat/modes/pgbouncer/config.go
index 548d01156a0377ecaa5640fb2d69e106650d74c1..94f201f1130d56f5827b2df4f0185e64fa4cd1ca 100644
--- a/lib/gat/modes/pgbouncer/config.go
+++ b/lib/gat/modes/pgbouncer/config.go
@@ -1,6 +1,7 @@
 package pgbouncer
 
 import (
+	"crypto/tls"
 	"net"
 	"strconv"
 	"strings"
@@ -260,9 +261,22 @@ func (T *Config) ListenAndServe() error {
 
 	allowedStartupParameters := append(trackedParameters, T.PgBouncer.IgnoreStartupParameters...)
 
+	var sslConfig *tls.Config
+	if T.PgBouncer.ClientTLSCertFile != "" && T.PgBouncer.ClientTLSKeyFile != "" {
+		certificate, err := tls.LoadX509KeyPair(T.PgBouncer.ClientTLSCertFile, T.PgBouncer.ClientTLSKeyFile)
+		if err != nil {
+			return err
+		}
+		sslConfig = &tls.Config{
+			Certificates: []tls.Certificate{
+				certificate,
+			},
+		}
+	}
+
 	acceptOptions := frontends.AcceptOptions{
-		SSLRequired: T.PgBouncer.ClientTLSSSLMode.IsRequired(),
-		// TODO(garet) SSL Certificates
+		SSLRequired:           T.PgBouncer.ClientTLSSSLMode.IsRequired(),
+		SSLConfig:             sslConfig,
 		AllowedStartupOptions: allowedStartupParameters,
 	}
 
diff --git a/lib/zap/conn.go b/lib/zap/conn.go
index 7354caa4404c6bbf7e7463651ced3450cd51906c..d12117c9a2bc7346fa831b3a1667f9f2e4f8645f 100644
--- a/lib/zap/conn.go
+++ b/lib/zap/conn.go
@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"encoding/binary"
 	"io"
+	"log"
 	"net"
 )
 
@@ -36,6 +37,9 @@ func WrapNetConn(conn net.Conn) Conn {
 }
 
 func (T *netConn) EnableSSLClient(config *tls.Config) error {
+	if err := T.flush(); err != nil {
+		return err
+	}
 	sslConn := tls.Client(T.conn, config)
 	T.conn = sslConn
 	T.w = sslConn
@@ -43,6 +47,10 @@ func (T *netConn) EnableSSLClient(config *tls.Config) error {
 }
 
 func (T *netConn) EnableSSLServer(config *tls.Config) error {
+	if err := T.flush(); err != nil {
+		return err
+	}
+	defer log.Println("done enabling ssl")
 	sslConn := tls.Server(T.conn, config)
 	T.conn = sslConn
 	T.w = sslConn