docs(mssql): describe MSSQL issue with negative certificates#3417
docs(mssql): describe MSSQL issue with negative certificates#3417mdelapenya merged 3 commits intotestcontainers:mainfrom
Conversation
|
Warning Rate limit exceeded@mdelapenya has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 13 minutes and 5 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (1)
Summary by CodeRabbit
WalkthroughDocumentation for the MS SQL module was updated to add notes about requiring GODEBUG=x509negativeserial=1 due to negative-serial-number certificates in certain MSSQL Docker images, outline affected versions and a fix in specific SQL Server CU releases, and include a warning about EULA acceptance for container images. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
✅ Deploy Preview for testcontainers-go ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (3)
docs/modules/mssql.md (3)
17-19: Fix bare URL and show non-destructive GODEBUG exampleReplace the bare URL (MD034) and add a quick example that appends to existing GODEBUG instead of overwriting.
-!!!info - In order to use this module, you must set the `GODEBUG=x509negativeserial=1` environment variable. See https://github.com/microsoft/mssql-docker/issues/895 for more details. - +!!!info + To use this module with Go 1.23+, set `GODEBUG=x509negativeserial=1`. See the related issue in the [mssql-docker repository](https://github.com/microsoft/mssql-docker/issues/895) for details. + + ```shell + # append to any existing GODEBUG flags instead of overwriting + export GODEBUG="${GODEBUG:+$GODEBUG,}x509negativeserial=1" + ```
20-26: Tighten wording and add safety noteClarify the bullets and highlight that the flag should be limited to affected images/environments.
-This is happening because: +This occurs because: - The MSSQL Docker image uses a self-signed certificate with a negative serial number -- Go 1.23+ has stricter certificate validation that rejects certificates with negative serial numbers by default -- The `x509negativeserial=1` flag tells Go to accept certificates with negative serial numbers +- Go 1.23+ has stricter certificate validation that rejects certificates with negative serial numbers by default +- The `x509negativeserial=1` flag temporarily re‑enables acceptance of such certificates - -The error you're seeing is a security feature in Go 1.23+ that was introduced to prevent potential certificate-related attacks. The MSSQL Docker image hasn't been updated to use certificates with positive serial numbers yet, which is why we need to use this workaround. +Note: This stricter check in Go 1.23+ is a security hardening. Prefer using images with fixed certificates (see below). Use the GODEBUG workaround only with affected images and in test environments.
27-30: Replace bare URL; nudge users toward fixed imagesFix MD034 and point users to prefer fixed CU images to avoid GODEBUG.
-!!!info - This is fixed in SQL2019 CU32 and SQL2022 CU18: -https://learn.microsoft.com/en-us/troubleshoot/sql/releases/sqlserver-2022/cumulativeupdate18#3867855 +!!!info + This is fixed in SQL2019 CU32 and SQL2022 CU18 (see [SQL Server 2022 CU18 — KB 3867855](https://learn.microsoft.com/en-us/troubleshoot/sql/releases/sqlserver-2022/cumulativeupdate18#3867855)). + + Prefer using container images based on these (or newer) CUs to avoid setting `GODEBUG`.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
docs/modules/mssql.md(1 hunks)
🧰 Additional context used
🪛 markdownlint-cli2 (0.18.1)
docs/modules/mssql.md
18-18: Bare URL used
(MD034, no-bare-urls)
29-29: Bare URL used
(MD034, no-bare-urls)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Analyze (go)
1 participant
What does this PR do?
It documents the MSSQL issue with self-signed certificates.
Why is it important?
Improve the docs