Search code examples
sql-servergotestcontainerssqlx

failed to parse certificate from server: x509: negative serial number

Have recently started to encountered this error when using testcontainers and specifically mssql images (have tried different image versions). This happens both locally when running on WSL, but also when running in Bitbucket pipeline container.

This used to work fine, and the error hasn't coincided with any updates to testcontainers or sqlx. I am using Go 1.23

2024/10/07 13:27:35 🐳 Creating container for image mcr.microsoft.com/mssql/server:2022-latest
2024/10/07 13:27:35 ✅ Container created: d7e6e168b77b
2024/10/07 13:27:35 🐳 Starting container: d7e6e168b77b
2024/10/07 13:27:36 ✅ Container started: d7e6e168b77b
2024/10/07 13:27:36 ⏳ Waiting for container id d7e6e168b77b image: mcr.microsoft.com/mssql/server:2022-latest. Waiting for: &{timeout:<nil> Log:Recovery is complete. IsRegexp:false Occurrence:1 PollInterval:100ms}
2024/10/07 13:27:41 🔔 Container is ready: d7e6e168b77b
    database_test.go:173: 
                Error Trace:    database_test.go:173
                Error:          Received unexpected error:
                                TLS Handshake failed: tls: failed to parse certificate from server: x509: negative serial number
                Test:           TestConnection

Here is how I would typically set up the db under test. Any suggestions as to why this may be happening?

import (
    "context"
    "fmt"
    "testing"

    "github.com/jmoiron/sqlx"
    "github.com/stretchr/testify/assert"
    "github.com/stretchr/testify/require"
    "github.com/testcontainers/testcontainers-go/modules/mssql"
)

func setupDB(ctx context.Context, t *testing.T) (string, func(ctx context.Context) error) {
    container, err := mssql.Run(ctx, "mcr.microsoft.com/mssql/server:2022-latest",
        mssql.WithAcceptEULA(),
    )
    require.NoError(t, err)

    conn, err := container.ConnectionString(ctx)
    require.NoError(t, err)

    return conn, container.Terminate
}

func TestConnection(t *testing.T) {
    ctx, cancel := context.WithTimeout(context.Background(), testTimeout)
    defer cancel()

    conn, cleanup := setupDB(ctx, t)
    defer cleanup(ctx)

    db, err := sqlx.ConnectContext(ctx, "sqlserver", conn)
    assert.NoError(t, err)
    
    db.Ping()
    assert.NoError(t, err)
    assert.NotNil(t, db)
}
Solution

  • This has been changed in Go 1.23. It's not in the release notes, but x509.ParseCertificate now says:

    Before Go 1.23, ParseCertificate accepted certificates with negative serial numbers. This behavior can be restored by including "x509negativeserial=1" in the GODEBUG environment variable.

    Note that starting with Go 1.23 debug flags can be set in go.mod:

    module my-module

godebug (
    x509negativeserial=1
)

    Or in the main package:

    //go:debug x509negativeserial=1
package main