How can I solve Postgresql SCRAM authentication problem?

Question

I am getting an error after moving the project to production. The error is as follows while running with production server

pg_connect(): Unable to connect to PostgreSQL server: SCRAM authentication requires libpq version 10 or above.

Here is my PostgreSQL version:

Development Version :

PostgreSQL 11.5 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-36), 64-bit

Production Version :

PostgreSQL 11.5 (EnterpriseDB Advanced Server 11.5.12) on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-36), 64-bit

Answer 1

In my case, the problem was coming up because I had two database servers running on the same machine: [1] Postgresql 14 which uses scram-sha-256 and [2] Postgresql 9.6 which uses md6. So I needed to specify the port number, and it worked!

$psql -U postgres -d dbname -p 5523  -f *path/to/file*

Answer 2

I used to get an error SCRAM authentication requires libpq version 10 or above when running php artisan migrate in laravel 8. Then I fixed it as follows: Change authentication from scram-sha-256 to md5, then reset your password and restart the postgresql-x64-13 service and here are step by step:

1. Step 1: Find file postgresql.conf in C:\Program Files\PostgreSQL\13\data then set password_encryption = md5
2. Step 2: Find file pg_hba.conf in C:\Program Files\PostgreSQL\13\data then change all METHOD to md5
3. Step 3: Open command line (cmd,cmder,git bash...) and run psql -U postgres then enter your password when installed postgres sql
4. Step 4: Then change your password by run ALTER USER postgres WITH PASSWORD 'new-password'; in command line
5. Final: Restart service postgresql-x64-13 in your Service.

Answer 3

I use MacOS, and download the Postgres.app from this link, can solve this problem：

SQLSTATE[08006] [7] SCRAM authentication requires qlibpq version 10 or above

Answer 4

For Amazon linux users:

$ sudo yum install -y amazon-linux-extras

then re install the postgres client again

$ sudo amazon-linux-extras install postgresql10

Then the main part install the python package in my case it was (psycopg2) reinstall it

$ pip3 install --force-reinstall psycopg2==2.9.3

specification: python3.8.9

Answer 5

The following docker-compose snippet worked for me:

command: postgres -c password_encryption=md5
environment:
  [...]
  POSTGRES_INITDB_ARGS: "--auth-local=md5"

Answer 6

I am a php-fpm docker user on Mac OS, neither the plateform env exports nor adding the directive to the dockerfile/docker-compose.yml succeded. On the other hand, switching postgres to md5 was a solution i wished to avoid. Besides, using apt-get inside the container resulted in too many dependency errors. What worked for me was just upgrading php-fpm to the latest version, rebuild the container then apt-get brought a libpq >= 10 version

Actually my dockerfile looks like this:

FROM --platform=linux/amd64 php:7.4-fpm
RUN apt-get update \
    && apt-get install -y \
        librabbitmq-dev \
        libssh-dev \
        libpq-dev  \
...

Answer 7

I noticed using later postgres database docker images - postgres:14.x-alpine I got this error.

If feasible - you can downgrade to an older image that doesn't have these extra protections

version: '3.8'
services:


  db:
    image: postgres:9-alpine
    restart: always
    environment:
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=postgres
    ports:
      - '5432:5432'
    volumes: 
      - db:/var/lib/postgresql/data

Answer 8

1. Use vi (or other editor) to replace scram-sha-256 with md5 in the file postgresql.conf and post_hba.conf ; location of the files depends on your local set up. After this step 1 you may (most likely) continue to have the issue of authentication error. This is bcos the hash of password in DB still uses scram encryption. We will solve in the next few steps.
2. Restart postgresql server. This command depends on your server setup as well.
3. Reload DB and verify. Login with postgres id: sudo -u postgres sql

Reload (under the psql console):

SELECT pg_reload_conf();

Check Encryption:

SHOW password_encryption;
SELECT * FROM pg_hba_file_rules();

4. Reset password for user account (within the psql consol). This step will flush a new hash for the password under md5 to replace the existing scram hash of the user password.

   \password user_id

Then you can run a test of DB connection with psycopg2, as well as sqlalchemy.

This solves my problem in the way i can understand, being aware that md5 is less ideal an encryption method than scram-sha-256 but recompile the package to meet the requirement of psycopg2 is a pain in a**. So i would switch back to md5 first then when the package are all ready then change it to scram encryption.

Reference: PostgreSQL downgrade password encryption from SCRAM to md5

Answer 9

Thanks to previous answers, this was resolved in my case too when I switched from psycopg2-binary to psycopg2.

Use pip install psycopg2 in your environment. This resolves the issue for ubuntu based systems.

Answer 10

Based on answer by @meijsermans, I changed the requirements.txt for django:

#psycopg2-binary>=2.9.3
psycopg2>=2.9.5

and it worked without the SCRAM error!

Also tried with and without platform: linux/arm64 in docker.compose, didn't solve the problem.
Tried platform: linux/amd64 and had some unrelated errors (mainly "exec /bin/sh: exec format error")
Using postgres:14.5 image in postgres container and python:3.10.7 image for django

Answer 11

Found this problem installing on a ubuntu 22.04 image with python3.10 on Mac M1.
What worked for me was installing the psycopg2 package as root rather than with --user - then the specific user can use the package.

Looks like the --user install puts an incorrectly linked libpq at /home/<user...>/.local/lib/python3.10/site-packages/psycopg2_binary.libs/libpq-d97d8807.so.5.9

If you have another pip install --user process kicking about after this, and it installs psycopg2 again under the .local path, just remove that from .local/lib/python3.x/site-packages/psycopg2*

Answer 12

Here is a more mundane answer, but this is what happened to me so I'll add it here.

I got this error when I tried to start PostgreSQL 9.4. I realized I already had PostgreSQL 11 running - it started automatically with my computer. Once I stopped version 11, I was able to start version 9.4. They can't listen on a port already in use, and both had the same port set. But I'm not sure exactly why the misleading error wording.

Answer 13

This issue still affects m1 macs running python:3.10.* docker containers (based off aarch64 Debian 11). Solution for me was to install psycopg2 (build from source) instead of psycopg2-binary which is advised for production anyways:

pip install psycopg2

The python container has all the build dependencies already (like gcc). A more production appropriate container most likely won't have these https://www.psycopg.org/docs/install.html#build-prerequisites

Answer 14

Your application uses an API that is linked with the PostgreSQL client C library libpq.

The version of that library must be 9.6 or older, and SCRAM authentication was introduced in v10.

Upgrade libpq on the application end and try again.

If you don't need scram-sha-256 authentication, you can revert to md5:

• set password_encryption = md5 in postgresql.conf
• change the authentication method to md5 in pg_hba.conf
• reload PostgreSQL
• change the password of the user to get an MD5 encrypted password

Answer 15

All the answers that are suggesting that password encryption should be reverted back to md5 are forgetting that PostgreSQL changed its default password encryption from md5 to scram-sha-256 for security reasons. The issue then is those client applications that fail to use this modern encryption method. The libpq file that ships with PostgreSQL version 10 and above is fine. Just change your client applications if you can so that you use only the ones that support this new method.

For instance, For a long time I was using a package called RPostgreSQL that allows users to connect to a PostgreSQL database from R. Turns out that package doesn't support scram-sha-256. I have now replaced it with its modern equivalent called rpostgres. Problem solved, everybody happy now!

Answer 16

I find 2 solutions. I didn't try local, solutions are for docker container.

Preliminary information: According to the main image we defined at the beginning of the Dockerfile, our libq versions may differ. It is explained with examples in the answer given here.

If you want to know your libq version used in your docker-image, you can do the following, respectively.

• After docker-compose run

  docker-compose exec <app_name_in_docker-compose_file> sh

  python

  import psycopg2

  print(psycopg2.extensions.libpq_version())

If you're getting an error, you'll probably see a number like 90xxx here.

Solutions:

• First basic one. I used 'python:3.9-slim-buster' at docker and I've got error. Change base image name to 'python:3.9.6-alpine3.14'
• The second solution is to build the psycopg2 file and install libq and other dependencies. For this, add the following commands to the dockerfile.

RUN apt update -y && apt install -y build-essential libpq-dev

RUN pip3 install psycopg2-binary --no-binary psycopg2-binary

Answer 17

If you want to keep the scram-sha-256 for security. You need to update your client postgreSQL libraries, due to php-pgsql default version does not support it.

CentOS/Rhel/Rocky

yum install https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
yum install postgresql13

This will update the server/client libpq in order to keep using scram-sha-256

Answer 18

Had this issue and fixed it by switching from the binary version of psycopg2 to psycopg2 = "^2.9.3"

Answer 19

For those on M1-Based macs who are currently seeing this issue in docker - there appears to a bug upstream in libpg that's building against the wrong library version on ARM.

Until it's fixed, a workaround is to (at a performance hit) is to just run it via rosetta.

export DOCKER_DEFAULT_PLATFORM=linux/amd64, and re-build your images.

You'll get the latest version of libpq, and things should Just Work.

Ref: https://github.com/psycopg/psycopg2/issues/1360

Answer 20

I ran into this while running a python:3.9 docker image where I had installed psycopg2-binary==2.9.3. Installing psycopg2==2.9.3 instead resolved it for me.

Answer 21

RUN apt-get -y update \
    && apt-get install -y build-essential gettext libpq-dev\
    && apt-get install -y wkhtmltopdf\
    && apt-get install -y gdal-bin\
    && apt-get install -y libgdal-dev\
    && apt-get install -y --no-install-recommends software-properties-common\
    && apt-add-repository contrib\
    && apt-get update

Try this.

Answer 22

Encountered the same issue and applied @Laurenz Albe's fix but I would get an authentication error on my user for the database, because of encryption strategy change.

So instead of replacing scram-sha-256 with md5, replace it with trust in pg_hba.conf