Default TLS cert uses negative serial number

[sblackstone]

The default certificate created by the docker container sometimes contains a negative serial number.

A TLS certificate with a negative serial number is invalid, although some software has historically tolerated this.

As of Golang 1.23, x509.ParseCertificate explicitly rejects these certificates, this impacts microsoft/go-mssqldb such that it can no longer connect to the docker container due to the the invalid certificate.

I think the proper place to fix this is in the docker repo, a TLS cert with an invalid serial number is not a valid TLS cert.

See: https://tip.golang.org/doc/go1.23#cryptox509pkgcryptox509

[giautm]

Hey @sblackstone, I have the same issue here. However I noticed that the issue happens randomly during the boot process of the container, sometimes it generates the correct serial number and the client can connect to it.

Do we have any way to workaround before this issue gets fixed? Like runs the command to re-generate certs or provide a custom via mount.

Related: microsoft/go-mssqldb#217

[sblackstone]

Hey @sblackstone, I have the same issue here. However I noticed that the issue happens randomly during the boot process of the container, sometimes it generates the correct serial number and the client can connect to it.

Do we have any way to workaround before this issue gets fixed? Like runs the command to re-generate certs or provide a custom via mount.

Related: microsoft/go-mssqldb#217

I created my own cert as part of a custom image.

RUN openssl req -x509 -nodes -newkey rsa:2048 -subj '/CN=mssql' -addext "subjectAltName = DNS:mssql" -keyout /etc/ssl/private/mssql.key -out /etc/ssl/certs/mssql.pem -days 365
RUN chmod 400 /etc/ssl/private/mssql.key
RUN chmod 400 /etc/ssl/certs/mssql.pem
RUN mkdir -p /var/opt/mssql
COPY mssql.conf /var/opt/mssql/mssql.conf

and mssql.conf looks like:

[network]
tlscert = /etc/ssl/certs/mssql.pem
tlskey = /etc/ssl/private/mssql.key
tlsprotocols = 1.2
forceencryption = 1

[giautm]

To workaround after upgrade to go1.23, we can enable the x509negativeserial setting using godebug directive in the go.mod file.

go 1.23

godebug (
	x509negativeserial=1
)