Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: rejects CA cert from certtool #6837

gopherbot opened this issue Nov 27, 2013 · 9 comments

crypto/tls: rejects CA cert from certtool #6837

gopherbot opened this issue Nov 27, 2013 · 9 comments


Copy link

by pavel.odintsov:

What steps will reproduce the problem?
If possible, include a link to a program on
1. I created CA cert and sign server certificate using certtool from gnutls-utils

What is the expected output?
Working SSL

What do you see instead?
x509: RSA modulus is not a positive number

Which compiler are you using (5g, 6g, 8g, gccgo)?
go build

Which operating system are you using?
Centos6 up to date

Which version are you using?  (run 'go version')
go version go1.1.2 linux/amd64

Please provide any additional information below.
Copy link

rsc commented Nov 27, 2013

Comment 1:

Labels changed: added go1.3maybe.

Copy link

rsc commented Nov 27, 2013

Comment 2:

Can you please attach the certificate, or create a new one demonstrating the bug and
attach that?

Labels changed: added priority-later, removed priority-triage.

Status changed to Accepted.

Copy link

Comment 3 by pavel.odintsov:

Please check this certificates. Thank you!


  1. gnutls.crt (1196 bytes)
  2. gnutls.key.txt (1679 bytes)

Copy link

ality commented Nov 30, 2013

Comment 4:

This cert does indeed have a negative RSA modulus:
$ openssl asn1parse -i -dump -in gnutls.crt -strparse 174
    0:d=0  hl=4 l= 265 cons: SEQUENCE
    4:d=1  hl=4 l= 256 prim:  INTEGER           :-17FE30E907088DB4680D2F9C165D24604F1E8E7BB7EAB6AE31F1D6E71E32BD1C56CAAB4AA9DA4EBC376D80EC251DDF428E541264DEBE346DCB500D98E839F0A196EDB76151734E44BC681442B0AF0F85A924EB6FC54FD697BB7588AB841F68361E44EF191D633BCBF86CDA0BC78DAE7C309B5954B8087B074789E761EE7B10A11D9697AB43164004CE67C841BDD5D09A594D23587096D8713A45FEBEF4EBB099576C931D075AEADAE7B8C8B490C0703BEFE6840C4C4AE333C2797EAA9F05ED69685513C701B673E5D671F17F89E40F2B462171D779EA55EA76AF988333639A5BA7A75104003CAAE71F699D1303ABDC60C6C9939DD2C427B3CAFFA327FC5FD675
  264:d=1  hl=2 l=   3 prim:  INTEGER           :010001
The GnuTLS ASN.1 encoder should have padded it with a leading NUL byte.
It looks like CentOS 6 uses a modified version of GnuTLS 2.8.5¹ which
is unfortunate since this bug was fixed four years ago² (and included
in the 2.8.6 release).

Copy link

Comment 5 by pavel.odintsov:

Thank you so much! I will try to send this bug to RH/CentOS.

Copy link

agl commented Dec 2, 2013

Comment 6:

Closing as the problem doesn't appear to be in Go in this case.

Status changed to WorkingAsIntended.

@rsc rsc added this to the Go1.3 milestone Apr 14, 2015
@rsc rsc removed the go1.3maybe label Apr 14, 2015
Copy link

I hit the same error trying to do docker pull and isolated root cause back to a known issue with Palo Alto Networks (PAN) SSL intercepting firewall. Here's what we got from PAN support...

According to ASN.1 coding rule modulus values starting with bytes
higher than 0x80 are always treated as negative values, and as such
should be prefixed with 0x00. In your certificate example modulus hex
value starts with 0x88 and that is why it is presented with additional
0x00 when parsed by open-ssl (00:aa:32:1d...). two 0s are added by
open ssl during parsing because of ASN.1 coding rule.

The problem here is that PAN doesn't put 00s in front of the modulus
value of on the fly certificates, which makes them being treated as
irregular on the systems that rely on ASN.1 standard.

This is a known issue to us and we already have a bug # 59030 for it
which has been fixed in PAN-OS 6.0.1 release. So release 6.0.1 and
newer resolve this issue.

Don't know if PAN is using gnutls certtool, but figured I would share for anybody going web proxy thru a corporate firewall, etc...

Copy link

@swapdisk This issue was closed long ago. If you are having trouble with the current code please open a new issue or ask on golang-nuts. Thanks.

Copy link

@ianlancetaylor Understood, was just sharing some knowledge regarding other issues that can trigger the same golang error. I also see that Red Hat has just now released updated RHEL6 gnutls-utils package that includes the certtool bug fix at :-)

@golang golang locked and limited conversation to collaborators Aug 5, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet

No branches or pull requests

6 participants