Note that this is the command line that got the "negative serial number" error: "helm repo add coder-v2 https://helm.coder.com/v2";. That should be reachable by anyone else, so you could inspect that cert.
I'll try to integrate that code for inspecting the serial number. On Wednesday, June 11, 2025 at 9:10:59 PM UTC-7 Jason E. Aten wrote: > I don't know enough of your operational context, but for some > organizations, someone hitting your servers with old > certs like that could be considered a potentially malicious attack, and > "working around it" by turning > off the check might expose you to deeper vulnerabilities--that you might > better wish to avoid. > > On Thursday, June 12, 2025 at 4:42:01 AM UTC+1 Jason E. Aten wrote: > >> Maybe the TLS clients are providing certs too, and those are old? >> >> On Thursday, June 12, 2025 at 4:33:55 AM UTC+1 Jason E. Aten wrote: >> >>> https://pkg.go.dev/crypto/x509#ParseCertificate >>> >>> >>> https://stackoverflow.com/questions/79061981/failed-to-parse-certificate-from-server-x509-negative-serial-number >>> >>> >>> https://cs.opensource.google/go/go/+/refs/tags/go1.24.4:src/crypto/x509/parser.go;l=926 >>> >>> says >>> >>> serial := new(big.Int) >>> if !tbs.ReadASN1Integer(serial) { >>> return nil, errors.New("x509: malformed serial number") >>> } >>> if serial.Sign() == -1 { >>> if x509negativeserial.Value() != "1" { >>> return nil, errors.New("x509: negative serial number") >>> } >>> >>> so you could run tbs.ReadASN1Integer >>> on your certs serial numbers to see which if any are old... >>> >>> var tbs cryptobyte.String seems to imply it is using >>> "golang.org/x/crypto/cryptobyte" >>> so that code would be, in the v0.39.0 version, >>> >>> https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.39.0:cryptobyte/asn1.go;l=273 >>> >>> >>> On Wednesday, June 11, 2025 at 10:36:55 PM UTC+1 David Karr wrote: >>> >>>> This may be better asked in a k8s forum, but I'm not aware of a good >>>> one, and as I've never seen this anywhere but in Go applications, perhaps >>>> someone here will know about this. >>>> >>>> In our enterprise, we have a bunch of k8s clusters. I have a bunch of >>>> Go code using the k8s client api to get data from those clusters. For some >>>> reason, when I attempt to connect to some of those clusters, I get a >>>> "negative serial number" error. After some digging, I found that adding >>>> "godebug (x509negativeserial=1)" to your go.mod will work around this >>>> problem. >>>> >>>> The thing is, I also wrote some code that examines the cluster cert and >>>> its serial number, and in the cases where I've gotten this error, I've >>>> never found a serial number that was negative. Perhaps it's negative if >>>> it's assumed to be a limited number of bits? I have no idea. >>>> >>>> I also saw this error today when someone tried to run "helm" to get >>>> something on an external web site, and after I did "export >>>> GODEBUG=x509negativeserial=1", that resolved that problem. >>>> >>>> Anyone know anything about this? >>>> >>> -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/c2237947-20a4-4e37-8424-b84ea0f4ed5en%40googlegroups.com.
