Terraform x509: negative serial number error

Introduction

This document provides guidance for resolving the error tls: failed to parse certificate from server: x509: negative serial number that may occur when upgrading from Terraform 1.9.8 to 1.10.5 in environments with upstream proxies performing TLS inspection.

Problem

When upgrading from Terraform 1.9.8 to 1.10.5, users may encounter the following error:

tls: failed to parse certificate from server: x509: negative serial number

This issue is commonly linked to TLS inspection by upstream proxies and changes in Go's TLS handling behavior between versions.

Prerequisites

• Terraform version 1.9.8 or later

• Go version 1.22.7 or 1.23.3

• An environment with upstream proxies performing TLS inspection

Cause

This error occurs because:

• Terraform 1.9 was compiled with Go 1.22.7, which accepted TLS certificates with negative serial numbers.

• Terraform 1.10 was compiled with Go 1.23.3, which enforces stricter certificate parsing rules, rejecting certificates with negative serial numbers.

Overview of Possible Solutions

The issue can be resolved by setting a specific environment variable that relaxes Go's certificate parsing behavior.

Solutions

Solution 1: Set the GODEBUG Environment Variable

1. Add the following environment variable to your system or Terraform execution environment:

   export GODEBUG=x509negativeserial=1

2. If using HCP Terraform, add this variable to your workspace environment variables:

   • Navigate to Settings ➔ Environment Variables

   • Add GODEBUG as the key and x509negativeserial=1 as the value.

3. Re-run your Terraform commands.

If upgrading to Terraform 1.10.5 is not immediately necessary, consider reverting to version 1.9.8 while planning a proper certificate replacement strategy.

Outcome

To confirm the issue is resolved:

• Run terraform plan or terraform apply and verify that the x509: negative serial number error no longer appears.

• If the issue persists, consider reviewing proxy configurations or engaging with your network team for additional support.

Additional Information

• Terraform 1.9 was compiled with Go 1.22.7: Terraform v1.9

• Terraform 1.10 was compiled with Go 1.23.3: Terraform v1.10