Maybe the TLS clients are providing certs too, and those are old? On Thursday, June 12, 2025 at 4:33:55 AM UTC+1 Jason E. Aten wrote:
> https://pkg.go.dev/crypto/x509#ParseCertificate > > > https://stackoverflow.com/questions/79061981/failed-to-parse-certificate-from-server-x509-negative-serial-number > > > https://cs.opensource.google/go/go/+/refs/tags/go1.24.4:src/crypto/x509/parser.go;l=926 > > says > > serial := new(big.Int) > if !tbs.ReadASN1Integer(serial) { > return nil, errors.New("x509: malformed serial number") > } > if serial.Sign() == -1 { > if x509negativeserial.Value() != "1" { > return nil, errors.New("x509: negative serial number") > } > > so you could run tbs.ReadASN1Integer > on your certs serial numbers to see which if any are old... > > var tbs cryptobyte.String seems to imply it is using > "golang.org/x/crypto/cryptobyte" > so that code would be, in the v0.39.0 version, > > https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.39.0:cryptobyte/asn1.go;l=273 > > > On Wednesday, June 11, 2025 at 10:36:55 PM UTC+1 David Karr wrote: > >> This may be better asked in a k8s forum, but I'm not aware of a good one, >> and as I've never seen this anywhere but in Go applications, perhaps >> someone here will know about this. >> >> In our enterprise, we have a bunch of k8s clusters. I have a bunch of Go >> code using the k8s client api to get data from those clusters. For some >> reason, when I attempt to connect to some of those clusters, I get a >> "negative serial number" error. After some digging, I found that adding >> "godebug (x509negativeserial=1)" to your go.mod will work around this >> problem. >> >> The thing is, I also wrote some code that examines the cluster cert and >> its serial number, and in the cases where I've gotten this error, I've >> never found a serial number that was negative. Perhaps it's negative if >> it's assumed to be a limited number of bits? I have no idea. >> >> I also saw this error today when someone tried to run "helm" to get >> something on an external web site, and after I did "export >> GODEBUG=x509negativeserial=1", that resolved that problem. >> >> Anyone know anything about this? >> > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/7ae866e8-60cf-4ed2-be7b-e14d6671dfe0n%40googlegroups.com.
