https://pkg.go.dev/crypto/x509#ParseCertificate
https://stackoverflow.com/questions/79061981/failed-to-parse-certificate-from-server-x509-negative-serial-number https://cs.opensource.google/go/go/+/refs/tags/go1.24.4:src/crypto/x509/parser.go;l=926 says serial := new(big.Int) if !tbs.ReadASN1Integer(serial) { return nil, errors.New("x509: malformed serial number") } if serial.Sign() == -1 { if x509negativeserial.Value() != "1" { return nil, errors.New("x509: negative serial number") } so you could run tbs.ReadASN1Integer on your certs serial numbers to see which if any are old... var tbs cryptobyte.String seems to imply it is using "golang.org/x/crypto/cryptobyte" so that code would be, in the v0.39.0 version, https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.39.0:cryptobyte/asn1.go;l=273 On Wednesday, June 11, 2025 at 10:36:55 PM UTC+1 David Karr wrote: > This may be better asked in a k8s forum, but I'm not aware of a good one, > and as I've never seen this anywhere but in Go applications, perhaps > someone here will know about this. > > In our enterprise, we have a bunch of k8s clusters. I have a bunch of Go > code using the k8s client api to get data from those clusters. For some > reason, when I attempt to connect to some of those clusters, I get a > "negative serial number" error. After some digging, I found that adding > "godebug (x509negativeserial=1)" to your go.mod will work around this > problem. > > The thing is, I also wrote some code that examines the cluster cert and > its serial number, and in the cases where I've gotten this error, I've > never found a serial number that was negative. Perhaps it's negative if > it's assumed to be a limited number of bits? I have no idea. > > I also saw this error today when someone tried to run "helm" to get > something on an external web site, and after I did "export > GODEBUG=x509negativeserial=1", that resolved that problem. > > Anyone know anything about this? > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/a58fa9ae-17ec-4e70-8490-a287b0c6a383n%40googlegroups.com.
