-
Notifications
You must be signed in to change notification settings - Fork 755
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default TLS cert uses negative serial number #895
Comments
Hey @sblackstone, I have the same issue here. However I noticed that the issue happens randomly during the boot process of the container, sometimes it generates the correct serial number and the client can connect to it. Do we have any way to workaround before this issue gets fixed? Like runs the command to re-generate certs or provide a custom via mount. Related: microsoft/go-mssqldb#217 |
I created my own cert as part of a custom image.
and mssql.conf looks like:
|
To workaround after upgrade to go1.23, we can enable the go 1.23
godebug (
x509negativeserial=1
) |
The default certificate created by the docker container sometimes contains a negative serial number.
A TLS certificate with a negative serial number is invalid, although some software has historically tolerated this.
As of Golang 1.23,
x509.ParseCertificate
explicitly rejects these certificates, this impactsmicrosoft/go-mssqldb
such that it can no longer connect to the docker container due to the the invalid certificate.I think the proper place to fix this is in the docker repo, a TLS cert with an invalid serial number is not a valid TLS cert.
See: https://tip.golang.org/doc/go1.23#cryptox509pkgcryptox509
The text was updated successfully, but these errors were encountered: