Connecting n8n to Supabase PostgreSQL for RAG AI Agent Integration

Below is some guidance tailored to your scenario:

SSL and Authentication with Supabase

Supabase’s Postgres requires SSL connections with full certificate verification. When connecting from n8n using the Postgres Chat Memory (or any Postgres credentials), the connection must align with the authentication method expected by Supabase.

A few things to check:

• SSL Mode Setting:
  In your Postgres credential configuration within n8n, make sure you’re not relying solely on the “Ignore SSL Issues” toggle. Instead, select the proper SSL mode (typically “Require”) so that the connection uses full SSL verification. This ensures that the client requests the server certificate correctly.

• Certificate Availability:
  When enforcing SSL, you need to ensure that the Supabase CA certificate is provided to the Postgres client library. In a Dockerized setup it is common to:

  • Mount the certificate into the container (for example into a folder like /opt/custom-certificates).
  • Configure the credential’s SSL CA field (or use the equivalent environment variable such as DB_POSTGRESDB_SSL_CA) to point to that file.

  Double-check that the certificate file is in PEM format and accessible (permissions, correct file path) by the n8n process.

• Client Library Compatibility:
  The error “SASL: SCRAM-SERVER-FINAL-MESSAGE: server signature is missing” can sometimes indicate a mismatch between the Postgres client library’s expectations and the server’s SCRAM authentication handshake. Since Supabase uses SCRAM authentication, ensuring your n8n container is up to date in terms of its Postgres client library might help. In your case you’re on 1.65.2 so consider checking release notes if there have been updates addressing SCRAM compatibility. If upgrading is an option, it may be worth testing on a newer version.

Alternative Approaches

• Using Supabase Credentials in n8n:
  If you’re only reading from Supabase (or have access via a service key), you might consider the dedicated Supabase credentials node. This configuration uses a Host and Service Role Secret rather than the standard Postgres connection parameters. Although the RAG AI Agent’s memory node relies on Postgres credentials, if a similar integration exists for Supabase credentials it might sidestep the SCRAM issue.

• Verifying Connection Outside n8n:
  Before testing in n8n, try connecting via the psql CLI with the Supabase connection string (using sslmode=verify-full) to verify that your certificate setup works as expected. For example:

  BASHCopied
  psql "postgresql://aws-0-eu-central-1.pooler.supabase.com:6543/postgres?sslmode=verify-full" -U postgres.<user>

  This command (from Supabase’s documentation) confirms that the client can perform the full handshake using the CA certificate you added.

Summary of Recommendations

1. Set SSL Mode to “Require” in your Postgres credentials rather than toggling “Ignore SSL Issues.”
2. Ensure the CA certificate is correctly mounted in your container and that you point to it in the SSL configuration.
3. Verify locally with psql using the same connection parameters to isolate the issue.
4. Consider upgrading n8n (if possible) to benefit from any fixes related to SCRAM authentication.

Following these steps should help address the negotiation error you’re encountering. Let me know if you need further details on any of these steps.