Introduction
This document provides guidance for resolving the error tls: failed to parse certificate from server: x509: negative serial number
that may occur when upgrading from Terraform 1.9.8 to 1.10.5 in environments with upstream proxies performing TLS inspection.
Problem
When upgrading from Terraform 1.9.8 to 1.10.5, users may encounter the following error:
tls: failed to parse certificate from server: x509: negative serial number
This issue is commonly linked to TLS inspection by upstream proxies and changes in Go's TLS handling behavior between versions.
Prerequisites
-
Terraform version 1.9.8 or later
-
Go version 1.22.7 or 1.23.3
-
An environment with upstream proxies performing TLS inspection
Cause
This error occurs because:
-
Terraform 1.9 was compiled with Go 1.22.7, which accepted TLS certificates with negative serial numbers.
-
Terraform 1.10 was compiled with Go 1.23.3, which enforces stricter certificate parsing rules, rejecting certificates with negative serial numbers.
Overview of Possible Solutions
The issue can be resolved by setting a specific environment variable that relaxes Go's certificate parsing behavior.
Solutions
Solution 1: Set the GODEBUG Environment Variable
-
Add the following environment variable to your system or Terraform execution environment:
export GODEBUG=x509negativeserial=1
-
If using HCP Terraform, add this variable to your workspace environment variables:
-
Navigate to Settings ➔ Environment Variables
-
Add
GODEBUG
as the key andx509negativeserial=1
as the value.
-
-
Re-run your Terraform commands.
If upgrading to Terraform 1.10.5 is not immediately necessary, consider reverting to version 1.9.8 while planning a proper certificate replacement strategy.
Outcome
To confirm the issue is resolved:
-
Run
terraform plan
orterraform apply
and verify that thex509: negative serial number
error no longer appears. -
If the issue persists, consider reviewing proxy configurations or engaging with your network team for additional support.
Additional Information
-
Terraform 1.9 was compiled with Go 1.22.7: Terraform v1.9
-
Terraform 1.10 was compiled with Go 1.23.3: Terraform v1.10