Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: failed to parse certificate from server: x509: negative serial number #16309

Closed
Eraser3 opened this issue Dec 15, 2024 · 4 comments
Closed

tls: failed to parse certificate from server: x509: negative serial number #16309

Eraser3 opened this issue Dec 15, 2024 · 4 comments
Assignees
@DStrand1
Labels
bug unexpected problem or unintended behavior

Comments

@Eraser3
Copy link

Eraser3 commented Dec 15, 2024

Relevant telegraf.conf

[[inputs.sqlserver]]
  servers = [
    "Server=127.0.0.1;Port=1433;User Id=telegraf;Password=<HIDDEN>;Database=<MyDatabase>;app name=telegraf;log=1;TrustServerCertificate=1;",
  ]

  query_timeout = "10s"
  database_type = "SQLServer"
  include_query = ["SQLServerPerformanceCounters", "SQLServerRequests"]
  exclude_query = ["SQLServerAvailabilityReplicaStates", "SQLServerDatabaseReplicaStates"]

Logs from Telegraf

Dec 15 14:18:30 sql-02 telegraf[11607]: 2024-12-15T13:18:30Z E! [inputs.sqlserver] Error in plugin: query SQLServerRequests failed for server: 127.0.0.1 and database: <MyDatabase> with Error: TLS Handshake failed: tls: failed to parse certificate from server: x509: negative serial number
Dec 15 14:18:30 sql-02 telegraf[11607]: 2024-12-15T13:18:30Z E! [inputs.sqlserver] Error in plugin: query SQLServerPerformanceCounters failed for server: 127.0.0.1 and database: <MyDatabase> with Error: TLS Handshake failed: tls: failed to parse certificate from server: x509: negative serial number

System info

Telegraf 1.33.0, Ubuntu 20.04.6 LTS, Microsoft SQL Server 2019 (RTM-CU30) (KB5049235) - 15.0.4415.2 (X64) Standard Edition (64-bit)

Docker

No response

Steps to reproduce

  1. Install SQL Server 2019
  2. Configure Telegraf sqlserver input
  3. Run Telegraf

Expected behavior

Telegraf to successfully connect with SQL Server.

Actual behavior

Telegraf fails the SQL Server TLS handshake because of the X509 negative serial number.

Additional info

No response
@Eraser3 Eraser3 added the bug unexpected problem or unintended behavior label Dec 15, 2024
@DStrand1 DStrand1 self-assigned this Dec 20, 2024
@jminardi
Copy link

jminardi commented Jan 23, 2025
edited
Loading

I have this same issue when trying to connect to kepware.

I believe telegraf is interpreting the serial number as a signed int, when its intended to be an unsigned int.

I've exported the cert and inspected it on my Mac. There serial number is listed as a large positive integer. (large enough to cause an overflow if interpreted as an int32)

How can we get telegraf to interpret the serial numbers as uint32s?

@jminardi
Copy link

I've got a workaround to this problem. Set the following env var to get the go cert library to ignore the negative serial number error: GODEBUG=x509negativeserial=1

This was referenced Feb 6, 2025
Merged
Closed
@DStrand1
Copy link
Member

DStrand1 commented Feb 7, 2025

@Eraser3 and @jminardi, I created an issue for upstream Go here: golang/go#71606, could you provide any further context on your issue there, and post the output of the affected certificate chain?

@srebhan
Copy link
Member

srebhan commented Feb 17, 2025

Closing this issue as PR #16489 should got you covered. We need to remove the workaround iff the Golang devs decide to do something about it.

@srebhan srebhan closed this as completed Feb 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DStrand1 DStrand1

Labels
bug unexpected problem or unintended behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jminardi @Eraser3 @srebhan @DStrand1