Release 1.18

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.18 introduces several new features and breaking changes. Highlights include support for ACME certificate profiles, a new default for Certificate.Spec.PrivateKey.RotationPolicy now set to Always (breaking change), and the default Certificate.Spec.RevisionHistoryLimit now set to 1 (potentially breaking). Be sure to review all new features and changes below, and read the full release notes carefully before upgrading.

Major Themes

OperatorHub Packages Discontinued

We no longer publish OperatorHub packages for cert-manager. Why? Because the cert-manager maintainers no longer have the time or resources to maintain and test those packages. cert-manager v1.16.5 is the last release on OperatorHub.

ℹ️ cert-manager v1.16.5 for RedHat OpenShift OperatorHub.

ℹ️ cert-manager v1.16.5 for operatorhub.io.

ℹ️ Archived cert-manager-olm repository.

ACME HTTP01 challenge paths now use PathType Exact in Ingress routes

⚠️ Breaking change

We have changed the PathType for ACME HTTP01 Ingress-based challenges to Exact. This security feature ensures that the challenge path (which is an exact path) is not misinterpreted as a regular expression or some other Ingress-specific (ImplementationSpecific) parsing. This allows HTTP01 challenges to be solved when using standards compliant Ingress controllers such as Cilium.

This change is incompatible with certain versions and configurations of the ingress-nginx Ingress controller. Versions of ingress-nginx >=1.8.0 support a strict-validate-path-type configuration option which, when enabled, disallows . (dot) in the path value. This is a bug which makes it impossible to use various legitimate URL paths, including the http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> URLs used for ACME HTTP01. To make matters worse, the buggy validation is enabled by default in ingress-nginx >= 1.12.0. You will see errors like this in the cert-manager controller logs:

Error presenting challenge: admission webhook validate.nginx.ingress.kubernetes.io denied the request: ingress contains invalid paths: path /.well-known/acme-challenge/oTw4h9_WsobTRn5COTSyaiAx3aWn0M7_aYisoz1gXQw cannot be used with pathType Exact

If you use ingress-nginx, choose one of the following two options:

Option 1. Disable the ACMEHTTP01IngressPathTypeExact feature in cert-manager

To disable the ACMEHTTP01IngressPathTypeExact feature, to reinstate the old PathType: ImplementationSpecific behavior, use the following Helm values when installing cert-manager:

# values.yaml
config:
  featureGates:
    # Disable the use of Exact PathType in Ingress resources, to work around a bug in ingress-nginx
    # https://github.com/kubernetes/ingress-nginx/issues/11176
    ACMEHTTP01IngressPathTypeExact: false

Option 2. Disable the strict-validate-path-type option in ingress-nginx

To disable the buggy strict path validation, use the following Helm values when installing ingress-nginx:

# values.yaml
controller:
  config:
    # Disable strict path validation, to work around a bug in ingress-nginx
    # https://github.com/kubernetes/ingress-nginx/issues/11176
    strict-validate-path-type: false

ACME Certificate Profiles

cert-manager now supports the selection of ACME certificate profiles, allowing users to request different categories of certificates from their ACME Certificate Authority. This enhancement leverages the latest ACME protocol extension for certificate profiles (IETF draft) and is supported by Let's Encrypt and other providers. For example, Let's Encrypt offers the tlsserver profile for standard server certificates and the shortlived profile for short-lived six-day certificates. These new options provide users with greater flexibility and improved security for their certificate management needs.

📖 Learn more by visiting the ACME Issuer documentation.

The default value of Certificate.Spec.PrivateKey.RotationPolicy is now Always

⚠️ Breaking change

We have changed the default value of Certificate.Spec.PrivateKey.RotationPolicy from Never to Always.

Why? Because the old default was unintuitive and insecure. For example, if a private key is exposed, users may (reasonably) assume that re-issuing a certificate (e.g. using cmctl renew) will generate a new private key, but it won't unless the user has explicitly set rotationPolicy: Always on the Certificate resource.

This change is feature gated and is enabled by default, because it has been fast-tracked to beta status.

Users who want to preserve the old default have two options:

1. Explicitly set rotationPolicy: Never on your Certificate resources.
2. Turn off the feature gate in this release and explicitly set rotationPolicy: Never on your Certificates before release 1.19. In release 1.19, the feature will be marked as GA and it will no longer be possible to turn off the feature.

The following Helm chart values can be used to turn off the feature gate:

# values.yaml
config:
  featureGates:
    DefaultPrivateKeyRotationPolicyAlways: false

ℹ️ The old default value Never was always intended to be changed before API v1, as can be seen in the description of the original PR:

For backward compatibility, the empty value is treated as 'Never' which matches the behavior we have today. In a future API version, we can flip this default to be Always.

📖 See Issue: 7601: Change PrivateKey.RotationPolicy to default to Always to read the proposal for this change and the discussion around it.

📖 Read cert-manager component configuration to learn more about feature gates.

📖 Read our updated API compatibility statement which now reflects our new, more flexible, approach to changing API defaults, with a view to introducing other "sane" default API values in future releases.

📖 Read Issuance behavior: Rotation of the private key to learn more about private key rotation in cert-manager.

The default value of Certificate.Spec.RevisionHistoryLimit is now 1

⚠️ Potentially breaking change

The default value for the Certificate resource's revisionHistoryLimit field is now set to 1. This ensures that old CertificateRequest revisions are automatically garbage collected, improving resource management and reducing clutter in clusters. Previously, if not specified, no limit was applied, potentially leading to an accumulation of stale CertificateRequest resources. With this update, users no longer need to manually configure the revision history limit to benefit from automated cleanup.

When you upgrade to cert-manager 1.18, all stale CertificateRequest resources will be garbage collected, unless you explicitly set the revisionHistoryLimit value on your Certificate resources.

Copy annotations from Ingress or Gateway to the Certificate

We've added a new configuration option to the cert-manager controller: --extra-certificate-annotations, which allows you to specify annotation keys to be copied from an Ingress or Gateway resource to the resulting Certificate object. Read Annotated Ingress resource: Copy annotations to the Certificate, and Annotated Gateway resource: Copy annotations to the Certificate, to learn more.

Community

As always, we'd like to thank all of the community members who helped in this release cycle, including all below who merged a PR and anyone that helped by commenting on issues, testing, or getting involved in cert-manager meetings. We're lucky to have you involved.

A special thanks to:

• @terinjokes
• @solidDoWant
• @k0da
• @ali-hamza-noor
• @tareksha
• @ThatsIvan
• @jsoref
• @jcpunk
• @teslaedison
• @NicholasBlaskey
• @sspreitzer
• @tsaarni
• @johnjcool
• @LukeCarrier
• @tobiasbp
• @vehagn
• @cuinix

for their contributions, comments and support!

Also, thanks to the cert-manager maintainer team for their help in this release:

• @inteon
• @erikgb
• @SgtCoDFish
• @ThatsMrTalbot
• @munnerz
• @maelvls

And finally, thanks to the cert-manager steering committee for their feedback in this release cycle:

• @FlorianLiebhart
• @ssyno
• @ianarsenault
• @TrilokGeer

v1.18.2

We fixed a bug in the CSR's name constraints construction (only applies if you have enabled the NameConstraints feature gate). We dropped the new global.rbac.disableHTTPChallengesRole Helm option due to a bug we found, this feature will be released in v1.19 instead.

Changes since v1.18.1:

Bug or Regression

• BUGFIX: permitted URI domains were incorrectly used to set the excluded URI domains in the CSR's name constraints (#7833)
• Reverted adding the global.rbac.disableHTTPChallengesRole Helm option. (#7837)

v1.18.1

We have added a new feature gate ACMEHTTP01IngressPathTypeExact, to allow ingress-nginx users to turn off the new default Ingress PathType: Exact behavior, in ACME HTTP01 Ingress challenge solvers.

We have increased the ACME challenge authorization timeout to two minutes, which we hope will fix a timeout error (error waiting for authorization), which has been reported by multiple users, since the release of cert-manager v1.16.0. This change should fix the following issues: #7337, #7444, and #7685.

Changes since v1.18.0:

Feature

• Added a new feature gate ACMEHTTP01IngressPathTypeExact, to allow ingress-nginx users to turn off the new default Ingress PathType: Exact behavior, in ACME HTTP01 Ingress challenge solvers. (#7810, @sspreitzer)

Bug or Regression

• ACME: Increased challenge authorization timeout to 2 minutes to fix error waiting for authorization. (#7801, @hjoshi123)

Other (Cleanup or Flake)

• Use the latest version of ingress-nginx in E2E tests to ensure compatibility (#7807, @wallrj)

v1.18.0

Changes since v1.17.2:

Feature

• Add config to the Vault issuer to allow the server-name to be specified when validating the certificates the Vault server presents. (#7663, @ThatsMrTalbot)
• Added app.kubernetes.io/managed-by: cert-manager label to the created Let's Encrypt account keys (#7577, @terinjokes)
• Added certificate issuance and expiration time metrics (certmanager_certificate_not_before_timestamp_seconds, certmanager_certificate_not_after_timestamp_seconds). (#7612, @solidDoWant)
• Added ingress-shim option --extra-certificate-annotations, which sets a list of annotation keys to be copied from Ingress-like to resulting Certificate object (#7083, @k0da)
• Added the iss short name for the cert-manager Issuer resource
• Added the ciss short name for the cert-manager ClusterIssuer resource (#7373, @SgtCoDFish)
• Adds the global.rbac.disableHTTPChallengesRole helm value to disable HTTP-01 ACME challenges. This allows cert-manager to drop its permission to create pods, improving security when HTTP-01 challenges are not required. (#7666, @ali-hamza-noor)
• Allow customizing signature algorithm (#7591, @tareksha)
• Cache the full DNS response and handle TTL expiration in FindZoneByFqdn (#7596, @ThatsIvan)
• Cert-manager now uses a local fork of the golang.org/x/crypto/acme package (#7752, @wallrj)
• Add support for ACME profiles extension. (#7777, @wallrj)
• Promote the UseDomainQualifiedFinalizer feature to GA. (#7735, @jsoref)
• Switched service/servicemon definitions to use port names instead of numbers. (#7727, @jcpunk)
• The default value of Certificate.Spec.PrivateKey.RotationPolicy changed from Never to Always. (#7723, @wallrj)
• Set the default revisionHistoryLimit to 1 for the CertificateRequest revisions (#7758, @ali-hamza-noor)

Documentation

• Fix some comments (#7620, @teslaedison)

Bug or Regression

• Bump go-jose dependency to address CVE-2025-27144. (#7606, @SgtCoDFish)
• Bump golang.org/x/oauth2 to patch CVE-2025-22868.
• Bump golang.org/x/crypto to patch GHSA-hcg3-q754-cr77.
• Bump github.com/golang-jwt/jwt to patch GHSA-mh63-6h87-95cp. (#7638, @NicholasBlaskey)
• Change of the Kubernetes Ingress pathType from ImplementationSpecific to Exact for a reliable handling of ingress controllers and enhanced security. (#7767, @sspreitzer)
• Fix AWS Route53 error detection for not-found errors during deletion of DNS records. (#7690, @wallrj)
• Fix behavior when running with --namespace=<namespace>: limit the scope of cert-manager to a single namespace and disable cluster-scoped controllers. (#7678, @tsaarni)
• Fix handling of certificates with IP addresses in the commonName field; IP addresses are no longer added to the DNS subjectAlternativeName list and are instead added to the ipAddresses field as expected. (#7081, @johnjcool)
• Fix issuing of certificates via DNS01 challenges on Cloudflare after a breaking change to the Cloudflare API (#7549, @LukeCarrier)
• Fixed the certmanager_certificate_renewal_timestamp_seconds metric help text indicating that the metric is relative to expiration time, rather than Unix epoch time. (#7609, @solidDoWant)
• Fixing the service account template to incorporate boolean values for the annotations. (#7698, @ali-hamza-noor)
• Quote nodeSelector values in Helm Chart (#7579, @tobiasbp)
• Skip Gateway TLS listeners in Passthrough mode. (#6986, @vehagn)
• Upgrade golang.org/x/net fixing CVE-2025-22870. (#7619, @depandabot[bot])

Other (Cleanup or Flake)

• ACME E2E Tests: Upgraded Pebble to v2.7.0 and modified the ACME tests to match latest Pebble behavior. (#7771, @wallrj)
• Patch the third_party/forked/acme package with support for the ACME profiles extension. (#7776, @wallrj)
• Promote the AdditionalCertificateOutputFormats feature to GA, making additional formats always enabled. (#7744, @erikgb)
• Remove deprecated feature gate ValidateCAA. Setting this feature gate is now a no-op which does nothing but print a warning log line (#7553, @SgtCoDFish)
• Upgrade golang.org/x/net fixing CVE-2025-22870. (#7619, @depandabot[bot])
• Update kind images to include the Kubernetes 1.33 node image (#7787, @wallrj)
• Upgrade Go to v1.24.4 (#7785, @wallrj)
• Use slices.Contains to simplify code (#7753, @cuinix)