Skip to content

cert-manager releases

Learn about current and past releases of cert-manager.

Latest cert-manager release

The latest stable release of cert-manager is v1.16.2.

Downloads

  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.16.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller-fips:v1.16.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.16.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver-fips:v1.16.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.16.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector-fips:v1.16.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.16.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook-fips:v1.16.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.16.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck-fips:v1.16.2
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.16.2
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.16.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.16.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-controller-fips:v1.16.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.16.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver-fips:v1.16.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.16.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector-fips:v1.16.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.16.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook-fips:v1.16.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.16.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck-fips:v1.16.2
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.16.2
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.16.2

Release 1.16.2

cert-manager 1.16.2 was released on November 20, 2024.

Key features

  • PEM input validation updates This patch release sets a maximum size for PEM inputs which cert-manager will accept to remove the possibility of taking a long time to process an input. This prevents an unacceptable slow-down in parsing specially crafted PEM data. The issue is low severity; exploiting the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods. In addition, since most PEM data parsed by cert-manager comes from ConfigMap or Secret resources with a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data.

  • Dependency update The version of Go used by cert-manager was updated to v1.23.3.

Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.16.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller-fips:v1.16.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.16.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver-fips:v1.16.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.16.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector-fips:v1.16.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.16.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook-fips:v1.16.2
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.16.2
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.16.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.16.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-controller-fips:v1.16.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.16.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver-fips:v1.16.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.16.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector-fips:v1.16.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.16.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook-fips:v1.16.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.16.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck-fips:v1.16.2
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.16.2
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.16.2

Release 1.16.1

cert-manager 1.16.1 was released on October 9, 2024.

Key features

  • This patch release fixes an issue that caused the cert-manager's ACME ClusterIssuer to look in the wrong namespace for resources required for the issuance (for example, credential Secrets).
  • Helm schema validation: the new schema validation was too strict for the "global" section. Since the global section is shared across all charts and sub-charts, unknown fields are now allowed.
  • Helm will now accept percentages for the podDisruptionBudget.minAvailable and podDisruptionBudget.maxAvailable values.
  • Helm: allow enabled to be set as a value to toggle cert-manager as a dependency.
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.16.1
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller-fips:v1.16.1
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.16.1
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver-fips:v1.16.1
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.16.1
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector-fips:v1.16.1
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.16.1
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook-fips:v1.16.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.16.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.16.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.16.1
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-controller-fips:v1.16.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.16.1
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver-fips:v1.16.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.16.1
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector-fips:v1.16.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.16.1
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook-fips:v1.16.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.16.1
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck-fips:v1.16.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.16.1
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.16.1

Release 1.16.0

cert-manager 1.16.0 was released on October 3, 2024.

Breaking changes

Before upgrading cert-manager from 1.15.x to 1.16.0, please read the following important notes about breaking changes in 1.16.0:

  • TLS Protect Datacenter authentication

    cert-manager no longer uses the API Key authentication method which was deprecated in TLS Protect Datacenter 20.2 and which has since been removed in TLS Protect Datacenter 24.1.

    Venafi Issuer may fail to renew certificates if the issuer has been configured for TLS Protect Datacenter with username-password authentication.

  • Venafi Issuer certificate renewal

    Venafi Issuer may fail to renew certificates if the duration conflicts with the CA minimum / maximum duration policy in Venafi.

  • Helm validation

    Helm schema validation may reject your existing Helm values files if they contain typos or unrecognized fields.

Key features

  • Extended metrics

    The webhook and cainjector components now have metrics servers so that platform teams can monitor the performance of all the cert-manager components and gain more information about the underlying Go runtime in the event of a problem.

  • Venafi Issuer updates

    If you use the Venafi Issuer with a TLS Protect Datacenter server with username-password authentication, cert-manager 1.16.0 now uses OAuth authentication instead of the deprecated API Key authentication. This is a potentially breaking change, because you may need to reconfigure your TLS Protect Datacenter server to enable OAuth authentication, and you may need to reconfigure the cert-manager service accounts in TLS Protect Datacenter to work with OAuth.

    The desired certificate.spec.duration value is now sent to the Venafi API server. The default value for certificate.spec.duration is 90 days, but you may have changed this in your Certificate resources. Your Venafi issuing template may be configured to ignore the requested From and To times, in which case nothing will change. Your Venafi issuing template may be configured with a maximum or a minimum duration, in which case your certificate requests may fail after you upgrade to cert-manager 1.16.0. Consider this carefully when upgrading to cert-manager 1.16.

    When connecting to Venafi TLS Protect Datacenter, cert-manager can now load the CA certificate from a Secret resource. This allows you to manage the CA with familiar tools such as Trust Manager.

  • Route53 DNS01 Solver updates

    This release includes code and logging improvements to make debugging easier.

    API validation hsa been relaxed so that the region field is now optional. cert-manager now falls back to using the AWS_REGION environment variable of the controller Pod, regardless of which authentication mechanism is used.

    Users who use IAM Roles for Service accounts or Pod Identity need not specify the region, but if your Issuer or ClusterIssuer does include a region (for the sake of satisfying the old API validation), that issuer region will be ignored, if the AWS_REGION environment variable is set.

    cert-manager now uses regional STS endpoints, when using AssumeRole or when using a dedicated (non-mounted) Kubernetes service account. The regional endpoint will be computed based on the Issuer region field, or the AWS_REGION environment variable.

    Info

    This change only affects the AssumeRole configuration, which is used for cross-account authentication, and the AssumeRoleWithWebIdentity configuration, where the user supplies the name of a Kubernetes service account. It does not affect you if you have configured the cert-manager service account for IRSA, where the ServiceAccount token is mounted in to the cert-manager controller Pod. Regional STS endpoints were already being used in that case.

    Info

    There are good reasons to use regional STS endpoints, summarized as follows on the Amazon AWS blog:

    Although the global (legacy) AWS STS endpoint https://sts.amazonaws.com is highly available, it’s hosted in a single AWS Region — US East (N. Virginia) — and like other endpoints, it doesn’t provide automatic fail-over to endpoints in other Regions.

    For more information on which regions support STS, see Manage AWS STS in an AWS Region.

    For more information on how to configure the use of regional STS endpoints using environment variables, see AWS STS Regional endpoints.

  • Memory optimizations

    The cainjector no longer caches Secret data, and now only caches the metadata of Secret resources. This significantly reduces its memory usage. It also reduces the load on the Kubernetes API server when cainjector starts up, because it no longer needs to send all the data of all the Secret resources over the network.

    A new ClientWatchList feature flag was added to the controller, cainjector, and the webhook. This reduces the load on the Kubernetes API server because cert-manager components will no longer request complete unpaged lists of all API resources when they start up. It also reduces the peak memory use of the cert-manager components when they startup, because they no longer have to hold a duplicate unpaged list of resources in-memory while they add them to the client side cache.

  • Helm schema validation

    The Helm chart now includes a JSON schema which validates the values that you supply when installing the chart. This will help you to get your Helm values right first time. It will alert you to typos and unrecognized fields in your existing Helm values files.

Other changes

  • app.kubernetes.io/managed-by: "cert-manager" was added to secret/cert-manager-webhook-ca. This label is useful when filtering out managed Secrets in a multi-tenant cluster to generate reports or alerts.
  • You can now specify a Pod template when using the GatewayAPI HTTP01 solver to configure various aspects of the pod such as tolerations and affinity. This mirrors the behavior when using the Ingress HTTP01 solver.
  • This release allows you to add RBAC for the service account to create tokens. These are required when using the service account for authenticating against AWS IRSA when configuring Route53.
  • You can also now append the cert-manager user-agent string to all AWS API requests, including IMDS and STS requests.
  • AWS SDK warnings and API requests are now logged at cert-manager debug level to help debug AWS Route53 problems in the field.
  • Release v1.16.0 includes the ability to pass down a specified duration to the Venafi client instead of using the CA default only. Previously the specified duration on the certificate resource was not passed to the Venafi client when using Venafi as issuer, and only the CA default expire was used.
  • Configuration for the pod security context of HTTP-01 solver pods was added in this release.
  • The issuer.spec.acme.solvers.dns01.route53.region field is now optional.

Bug fixes

  • Support was added for using a domain qualified finalizer. This is turned off by default. If turned on, it preventa Kubernetes from reporting: metadata.finalizers: "finalizer.acme.cert-manager.io": prefer a domain-qualified finalizer name to avoid accidental conflicts with other finalizer writers.
  • A fix was implemented to correct an issue where the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This caused the webhook TLS server to fail to renew its CA certificate. You should upgrade before the expiration of this CA certificate is reached.
  • A fix was added to correct an issue that caused Vault issuer to not retry signing when an error was encountered.
  • A fixed was added to prevent aggressive Route53 retries which were caused by IRSA authentication failures. The fix removes the Amazon Request ID from errors wrapped by the default credential cache.
  • A fixed was added to prevent aggressive Route53 retries caused by STS authentication failures. The fix removes the Amazon Request ID from STS errors.
  • This release includes a fix to handle errors arising from challenges missing from the ACME server.
  • The KeyUsages x509 extension is no longer added when there are no key usages set in accordance to RFC 5280 Section 4.2.1.3.
  • A fix as added to rectify an issue where Azure DNS causing panics whenever authentication error happens.
  • Incorrect indentation of endpointAdditionalProperties in the PodMonitor template of the Helm chart was corrected.
  • A fix was included for an issue where the cainjector ConfigMap was not mounted in the cainjector deployment.
  • Validation was added to improve startupapicheck to check validating and mutating webhooks are working correctly.

Dependency updates

  • k8s.io/client-go was updated to v0.31.0.
  • google.golang.org/grpc was updated to v.1.64.1 to fix GHSA-xr7q-jx4m-x55m.
  • github.com/hashicorp/go-retryablehttp was updated to v0.7.7 to fix CVE-2024-6104.
  • github.com/Azure/azure-sdk-for-go/sdk/azidentity was updated to v1.6.0 to address CVE-2024-35255.
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.16.0
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller-fips:v1.16.0
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.16.0
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver-fips:v1.16.0
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.16.0
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector-fips:v1.16.0
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.16.0
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook-fips:v1.16.0
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.16.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.16.0
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.16.0
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-controller-fips:v1.16.0
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.16.0
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver-fips:v1.16.0
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.16.0
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector-fips:v1.16.0
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.16.0
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook-fips:v1.16.0
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.16.0
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck-fips:v1.16.0
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.16.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.16.0

Release 1.15.4

cert-manager 1.15.4 was released on November 19, 2024.

Key features

  • PEM input validation updates This patch release sets a maximum size for PEM inputs which cert-manager will accept to remove the possibility of taking a long time to process an input. This prevents an unacceptable slow-down in parsing specially crafted PEM data. The issue is low severity; exploiting the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods. In addition, since most PEM data parsed by cert-manager comes from ConfigMap or Secret resources with a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data.

  • Bug fix This release includes a fix to prevent aggressive Route53 retries caused by STS authentication failures by removing the Amazon Request ID from STS errors.

  • Dependency update The version of Go used by cert-manager was updated to v1.22.9.

Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.15.4
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller-fips:v1.15.4
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.15.4
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver-fips:v1.15.4
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.15.4
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector-fips:v1.15.4
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.15.4
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook-fips:v1.15.4
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.15.4
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.15.4
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.15.4
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-controller-fips:v1.15.4
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.15.4
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver-fips:v1.15.4
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.15.4
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector-fips:v1.15.4
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.15.4
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook-fips:v1.15.4
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.15.4
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck-fips:v1.15.4
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.15.4
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.15.4

Release 1.15.3

cert-manager 1.15.3 was released on August 16, 2024.

Key features

  • This patch release fixes an issue where the dynamic certificate source used by the webhook TLS server failed to detect a root CA approaching expiration, due to a calculation error. This will cause the webhook TLS server to fail to renew its CA certificate. Please upgrade before the expiration of this CA certificate is reached.
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.15.3
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller-fips:v1.15.3
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.15.3
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver-fips:v1.15.3
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.15.3
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector-fips:v1.15.3
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.15.3
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook-fips:v1.15.3
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.15.3
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.15.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.15.3
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-controller-fips:v1.15.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.15.3
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver-fips:v1.15.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.15.3
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector-fips:v1.15.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.15.3
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook-fips:v1.15.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.15.3
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck-fips:v1.15.3
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.15.3
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.15.3

Release 1.15.2

cert-manager 1.15.2 was released on July 30, 2024.

Key features

  • The ACME issuer Azure DNS DNS-01 solver was updated to fix a panics caused by authentication errors.
  • The ACME issuer HTTP-01 solver was updated to fix a bug which caused unbounded HTTPRoute resources with Gateway API.
  • A fix was included for incorrect value and indentation of endpointAdditionalProperties in the PodMonitor template of the Helm chart.
  • The route53 "aws-global" sts region is now explicitly set as this is now required by the github.com/aws/aws-sdk-go-v2 library.
  • grpc-go has been updated to v1.64.1.
  • This release updates the version of Go used to 1.22.5.
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.15.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller-fips:v1.15.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.15.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver-fips:v1.15.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.15.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector-fips:v1.15.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.15.2
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook-fips:v1.15.2
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.15.2
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.15.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.15.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-controller-fips:v1.15.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.15.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver-fips:v1.15.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.15.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector-fips:v1.15.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.15.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook-fips:v1.15.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.15.2
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck-fips:v1.15.2
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.15.2
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.15.2

Release 1.15.1

cert-manager 1.15.1 was released on June 26, 2024.

Key features

  • This patch release fixes the following vulnerability in the Microsoft Azure SDK: CVE-2024-35255.
  • This release also fixes an issue that caused the HashiCorp Vault issuer not to retry signing when an error was encountered.
  • The go-retryablehttp dependency was updated to v.0.7.7 to fix the following vulnerability: CVE-2024-6104.
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.15.1
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller-fips:v1.15.1
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.15.1
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver-fips:v1.15.1
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.15.1
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector-fips:v1.15.1
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.15.1
  • FIPS Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook-fips:v1.15.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.15.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.15.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.15.1
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-controller-fips:v1.15.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.15.1
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver-fips:v1.15.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.15.1
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector-fips:v1.15.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.15.1
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook-fips:v1.15.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.15.1
  • FIPS Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck-fips:v1.15.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.15.1
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.15.1

Release 1.15.0

cert-manager 1.15.0 was released on June 5, 2024.

Breaking changes

Before upgrading cert-manager from 1.14.x to 1.15.0, please read the following important notes about breaking changes in 1.15.0:

GatewayAPI support

GatewayAPI support has been promoted to Beta, and thus the feature flag ExperimentalGatewayAPISupport is now enabled by default.

If you enabled this feature flag in version 1.14, you will now need to pass the flag --enable-gateway-api instead. This is because, while the feature is now enabled by default, cert-manager will not crash if the GatewayAPI CRDs are not installed.

CRD retention

Helm will now keep the CRDs when you uninstall cert-manager by default to prevent accidental data loss. New crds.keep and crds.enabled Helm options were added to replace the installCRDs option.

cmctl

The cert-manager CLI has moved to a new GitHub repository for this release.

From this release, cmctl is no longer to be released with cert-manager itself, and there will no further quay.io/jetstack/cert-manager-ctl OCI images.

For the startupapicheck Job you should update references to point at quay.io/jetstack/cert-manager-startupapicheck.

Key features

  • GatewayAPI support has graduated to Beta. The ExperimentalGatewayAPISupport feature flag is now enabled by default. An --enable-gateway-api flag / configuration file option has been added, this is disabled by default.
  • This release adds support for numeric OID types in LiteralSubject. For example: 1.2.3.4=String Value.
  • Updated the Route53 provider to support fetching credentials using AssumeRoleWithWebIdentity.
  • cert-manager now supports specifying a custom key alias in a JKS Keystore.
  • You can now communicate with HashiCorp Vault using mTLS when strict client certificates is enabled on Vault server side.
  • There is now an option to provide additional audiences in the service account authentication section for HashiCorp Vault.
  • Venafi Enhanced Issuer now sends a cert-manager HTTP User Agent header in all Venafi Rest API requests.

    For example: cert-manager-certificaterequests-issuer-venafi/v1.15.0+(linux/amd64)+cert-manager/ef068a59008f6ed919b98a7177921ddc9e297200.

  • A new Ingress annotation was added for copying specific Ingress annotations to Certificate's secretTemplate.

  • The LiteralCertificateSubject feature is now promoted to Beta.
  • cert-manager.io/allow-direct-injection is now allowed in annotations.
  • If the --controllers flag only specifies disabled controllers, the default controllers are now enabled implicitly.
  • disableAutoApproval and approveSignerNames Helm chart options are now available.
  • A hint was added to validation error messages to help users of external issuers troubleshoot issues more easily if they specify a Kind but forget the Group.
  • The Helm chart now allows you to supply extraObjects. A list of YAML manifests that Helm will install and uninstall with the cert-manager manifests.
  • Optional hostAliases was added to the cert-manager pod to allow the DNS self-check to pass in custom scenarios.

Bug fixes

  • DigitalOcean: Ensure that only TXT records are considered for deletion when cleaning up after an ACME challenge.
  • Fixed unintended certificate chain is used if preferredChain is configured.
  • A fix for ACME issuer waiting for DNS propagation when using Azure DNS with multiple instances issuing for the same FQDN.
  • Fixed issue with JSON-logging where only a subset of the log messages were output as JSON.
  • JKS and PKCS12 stores now contain the full set of CAs specified by an issuer.
  • Fixed an issue where the cainjector leaderelection flag/configuration option defaults were missing.
  • Corrected an issue where cert-manager issuers incorrectly copied the critical flag from the CSR instead of re-calculating that field themselves.
  • Updated cert-manager to fix an issue where LiteralSubjects with a #= value can result in memory issues due to faulty BER parser.
  • Fixed backwards incompatible removal of default prometheus Service resource.
  • Fixed the broken cainjector image value in the Helm chart.
  • Added a fix to ensure Azure SDK error messages are stable.
  • When using the literalSubject on a Certificate, the webhook validation for the common name now also points to the literalSubject.
  • Fixed an error in the logic that differentiates between 0 and an empty value in Helm.

Other

  • crds.keep and crds.enabled Helm options were added to replace the installCRDs option.
  • Remove deprecated pkg/util/pki/ParseSubjectStringToRawDERBytes function.
  • The following components were upgraded in this release:

    • Kind was upgraded to v0.23.0.
    • Go was upgraded to v1.22.4 to fix GO-2024-2824 / CVE-2024-24788.
    • golang.org/x/net was upgraded to v0.24.0 fix CVE-2023-45288
    • github.com/go-jose/go-jose was upgraded to v3.0.3 to fix CVE-2024-28180
    • google.golang.org/protobuf was upgraded to v1.33.0 fix GO-2024-2611 / CVE-2024-24786
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.15.0
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.15.0
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.15.0
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.15.0
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.15.0
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.15.0
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.15.0
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.15.0
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.15.0
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.15.0
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.15.0
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.15.0
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.15.0
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.15.0

Release 1.14.7

cert-manager 1.14.7 was released on June 21, 2024.

Key features

  • This patch release fixes the following vulnerability in the Microsoft Azure SDK: CVE-2024-35255.
  • This release also fixes an issue that caused the HashiCorp Vault issuer not to retry signing when an error was encountered.
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.14.7
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.14.7
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.14.7
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.14.7
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.14.7
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.7
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.14.7
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.14.7
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.14.7
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.14.7
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.14.7
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.14.7
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.7
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.14.7

Release 1.14.6

cert-manager 1.14.6 was released on June 5, 2024.

Key features

  • This release upgrades Go to 1.21.11, to fix GO-2024-2824 and bring in security fixes for archive/zip and net/netip.
  • Helm: the cainjector ConfigMap was not mounted in the cainjector deployment.
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.14.6
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.14.6
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.14.6
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.14.6
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.14.6
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.6
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.14.6
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.14.6
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.14.6
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.14.6
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.14.6
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.14.6
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.6
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.14.6

Release 1.14.5

cert-manager 1.14.5 was released on April 25, 2024.

Key features

  • This patch release fixes a bug in the DigitalOcean DNS-01 provider, which could cause incorrect DNS records to be deleted when using a domain with a CNAME.
  • This release also updates golang.org/x/net to the latest golang patch version - 1.21.9. This update addresses CVE-2023-45288.

Known Issue

The wrong certificate chain may be used if preferredChain is configured for ACME Issuer (Let's Encrypt). For more information, see the 1.14.4 release notes.

Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.14.5
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.14.5
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.14.5
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.14.5
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.14.5
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.5
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.14.5
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.14.5
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.14.5
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.14.5
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.14.5
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.14.5
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.5
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.14.5

Release 1.14.4

cert-manager 1.14.4 was released on March 7, 2024.

Important

When upgrading to cert-manager release 1.14, skip all previous version of the 1.14 release, and install this patch release instead.

Key features

  • This release allows 'cert-manager.io/allow-direct-injection' in annotations.
  • An issue where JKS and PKCS12 stores did not contain the full set of CAs specified by an issuer was fixed.
  • An issue was also corrected where the cainjector leader election flag/configuration option defaults were missing.
  • This release upgrades the versions of Helm to v3.14.2, Go to v1.21.8, and google.golang.org/protobuf to v1.33.0.
Known Issue

ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured

On February 8th 2024, Let's Encrypt stopped providing their cross-signed certificate chain by default, in requests made to their /acme/certificate API endpoint. Instead the short-chain is returned by default and the long-chain (cross-signed) certificate chain is now included among the "alternate" chains. The cert-manager ACME Issuer API has a preferredChain field since v1.0.0, which is documented as follows:

PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. For example, for Let’s Encrypt’s DST cross sign you would use: “DST Root CA X3” or “ISRG Root X1” for the newer Let’s Encrypt root CA. This value picks the first certificate bundle in the ACME alternative chains that has a certificate with this value as its issuer’s CN.

The problem is that the preferredChain feature matches the issuer CN of any certificate in the chain. The result is that some users who set Isser.spec.acme.preferredChain: ISRG Root X1 in order to get early access to the Let's Encrypt short-chain certificates, will get long-chain (cross-signed) certificates when they renew after February 8th, 2024. But most users will not be affected. Their new certificates will contain the short-chain (not cross-signed) which terminates at ISRG Root X1.

This issue will be addressed in a future release without breaking functionality for users who have come to rely on the existing documented behavior.

Workarounds

  • Remove the spec.acme.preferredChainChain: ISRG Root X1 field from the Issuer or ClusterIssuer. And then renew any certificates which use that issuer and which have been renewed since February 8th, 2024. The new certificates will have a shorter chain which terminates at the self-signed root certificate for ISRG Root X1.

  • Do nothing. The affected certificates will have a longer chain which terminates at DST Root CA X3 and which contains the cross-signed intermediate certificate for ISRG Root X1, which expires on September 30th, 2024. But that's OK as long as DST Root CA X3 is trusted by your clients. And your 90 day leaf certificate is certain to be be renewed before that date, and certain to be renewed after June 6th, 2024, on which day Let's Encrypt will stop providing the longer cross-signed chain entirely.

    Warning

    There may be clients that are incompatible with DST Root CA X3.

Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.14.4
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.14.4
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.14.4
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.14.4
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.14.4
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.4
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.14.4
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.14.4
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.14.4
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.14.4
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.14.4
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.14.4
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.4
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.14.4

Release 1.14.3

cert-manager 1.14.3 was released on February 23, 2024.

Important

When upgrading to cert-manager release 1.14, skip v1.14.0, v1.14.1, and v1.14.2, and install this patch release instead.

Key features

  • This release fixes an issue with JSON-logging, where only a subset of the log messages were outputted as JSON.
  • This release also corrects an issue where LiteralSubjects with a #= value can result in memory issues due to a faulty BER parser.
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.14.3
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.14.3
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.14.3
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.14.3
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.14.3
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.3
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.14.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.14.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.14.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.14.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.14.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.14.3
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.3
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.14.3

Release 1.14.2

cert-manager 1.14.2 was released on February 8, 2024.

Key features

  • The release fixes an issue where cert-manager CA and SelfSigned issuers incorrectly copied the critical flag from the CSR instead of re-calculating that field.
  • This release also corrects an issue with the Helm trick used to differentiate between 0 and an empty value.
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.14.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.14.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.14.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.14.2
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.14.2
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.2
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.14.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.14.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.14.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.14.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.14.2
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.14.2
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.2
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.14.2

Release 1.14.1

cert-manager 1.14.1 was released on February 2, 2024.

Key features

cert-manager 1.14.1 brings a variety of features, security improvements and bug fixes, including support for creating X.509 certificates with Other Name fields, and support for creating CA certificates with Name Constraints and Authority Information Accessors extensions.

Important

The startupapicheck job uses a new OCI image called cert-manager-startupapicheck, instead of the cert-manager-ctl image. If you run in an environment in which images can't be pulled, be sure to include the new image.

  • New X.509 features

    • The cert-manager certificate resource now allows you to configure a subset of "Other Name" SANs, which are described in the Subject Alternative Name section of RFC 5280 (on page 37).

    • We specifically support any otherName type with a UTF-8 value, such as the User Principal Name or sAMAccountName. These are useful when issuing unique certificates for authenticating with LDAP systems such as Microsoft Active Directory. For example you can create certificates with this block in the spec:

      otherNames:
          - oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID
          utf8Value: upn@domain.local
      

      The feature is still in alpha stage and requires you to enable the OtherName feature flag in the controller and webhook components.

  • New CA certificate features

    • You can now specify the X.509 v3 Authority Information Accessors extension, with URLs for certificates issued by the CA issuer.

    • Users can now use name constraints in CA certificates. To know more details on name constraints check out RFC 5280 section 4.2.1.10.

  • Security updates

    • An ongoing security audit of the cert-manager code revealed some weaknesses which were addressed in this release, such as using more secure default settings in the HTTP servers that serve metrics, healthz and pprof endpoints. This will help mitigate denial-of-service attacks against those services.

    • All the cert-manager containers are now configured with read-only root file system by default, to prevent unexpected changes to the file system of the OCI image.

    • It is now possible to configure the metrics server to use HTTPS rather than HTTP, so that clients can verify the identity of the metrics server.

  • Miscellaneous

    • The liveness probe of the cert-manager controller Pod is now enabled by default.

    • There is a new option .spec.keystores.pkcs12.algorithms to specify encryption and MAC algorithms for PKCS.

    • The KeyUsage and BasicConstraints extensions are now encoded as critical in the CertificateRequest's CSR blob.

    • cert-manager 1.14.1 fixes issues in the Helm chart, as well as minor issues in cmctl.

Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.14.1
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.14.1
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.14.1
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.14.1
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.14.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.1
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.14.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.14.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.14.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.14.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.14.1
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.14.1
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.14.1
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.14.1

Release 1.13.6

cert-manager 1.13.6 was released on April 25, 2024.

Key features

  • This patch release fixes a bug in the DigitalOcean DNS-01 provider, which could cause incorrect DNS records to be deleted when using a domain with a CNAME.
  • This release also updates golang.org/x/net to the latest golang patch version - 1.21.9. This update addresses CVE-2023-45288.

Known Issue

The wrong certificate chain may be used if preferredChain is configured for ACME Issuer (Let's Encrypt). For more information, see the 1.14.4 release notes.

Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.13.6
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.13.6
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.13.6
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.13.6
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-ctl:v1.13.6
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.13.6
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.13.6
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.13.6
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.13.6
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.13.6
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.13.6
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.13.6
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.13.6
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.13.6

Release 1.13.3

cert-manager 1.13.3 was released on December 11, 2023.

Key features

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

  • GO-2023-2334: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

  • CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.13.3
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.13.3
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.13.3
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.13.3
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-ctl:v1.13.3
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.13.3
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.13.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.13.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.13.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.13.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.13.3
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.13.3
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.13.3
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.13.3

Read before upgrading!

  1. IMPORTANT NOTE: If upgrading from a version earlier than v1.12, upgrade to the latest v1.12 release before upgrading to v1.13.x. Otherwise, some certificates may be unexpectedly re-issued.
  2. BREAKING: If you deploy cert-manager using helm and have .featureGates value set, the features defined there will no longer be passed to cert-manager webhook, only to cert-manager controller. Use the webhook.featureGates field instead to define features to be enabled on webhook.
  3. POTENTIALLY BREAKING: If you pass cert-manager controller's features to webhook's --feature-gates flag, this will now break (unless the webhook actually has a feature by that name).
  4. POTENTIALLY BREAKING: Webhook validation of CertificateRequest resources is stricter now. All KeyUsages and ExtendedKeyUsages must be defined directly in the CertificateRequest resource, the encoded CSR can never contain more usages that defined there.

Release 1.12.14

cert-manager 1.12.14 was released on November 18, 2024.

Key features

  • PEM input validation updates This patch release sets a maximum size for PEM inputs which cert-manager will accept to remove the possibility of taking a long time to process an input. This prevents an unacceptable slow-down in parsing specially crafted PEM data. The issue is low severity; exploiting the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods. In addition, since most PEM data parsed by cert-manager comes from ConfigMap or Secret resources with a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data.

  • Security issue fix This release also fixes CVE-2024-5174 in github.com/golang-jwt/jwt/v4.

Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.12.14
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.12.14
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.12.14
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.12.14
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.12.14
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.12.14
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.12.14
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.12.14
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.12.14
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.12.14
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.12.14
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.12.14
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.12.14
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.12.13

Release 1.12.13

cert-manager 1.12.13 was released on August 9, 2024.

Note

This version contains an unusually large number of Go dependency changes for a patch release. We are confident that it is stable because it has passed the same extensive suite of tests as previous 1.12 releases. But if you are importing cert-manager 1.12 as a Go module you will notice that the minimum Go version is 1.21, and the k8s.io modules are now updated to 0.29.

This reason for the large number of Go dependency changes is that the Helm SDK has been updated to fix security vulnerabilities in cmctl. This required the k8s.io modules to be updated from 0.27 to 0.29 in all components. The newer minor versions of the Kubernetes modules pulled in new transitive dependencies, and incremented the minimum Go version from 1.20 to 1.21.

Key features

  • Bugfixes

  • Dependencies

    • Added

      • github.com/antlr/antlr4/runtime/Go/antlr/v4: 8188dc5
      • github.com/google/gnostic-models: v0.6.8
      • github.com/xhit/go-str2duration/v2: v2.1.0
    • Changed

      • github.com/BurntSushi/toml: v1.2.1 was changed to v0.3.1
      • github.com/alecthomas/kingpin/v2: v2.3.1 was changed to v2.3.2
      • github.com/asaskevich/govalidator: f61b66f was changed to 21a406d
      • github.com/coreos/go-oidc: v2.1.0+incompatible was changed to v2.2.1+incompatible
      • github.com/coreos/go-semver: v0.3.0 was changed to v0.3.1
      • github.com/coreos/go-systemd/v22: v22.4.0 was changed to v22.5.0
      • github.com/cpuguy83/go-md2man/v2: v2.0.2 was changed to v2.0.3
      • github.com/davecgh/go-spew: v1.1.1 was changed to d8f796a
      • github.com/dustin/go-humanize: v1.0.0 was changed to v1.0.1
      • github.com/emicklei/go-restful/v3: v3.9.0 was changed to v3.11.0
      • github.com/evanphx/json-patch: v5.6.0+incompatible was changed to v5.7.0+incompatible
      • github.com/fatih/color: v1.15.0 was changed to v1.16.0
      • github.com/frankban/quicktest: v1.10.0 was changed to v1.14.3
      • github.com/fsnotify/fsnotify: v1.6.0 was changed to v1.7.0
      • github.com/go-openapi/jsonreference: v0.20.1 was changed to v0.20.2
      • github.com/golang-jwt/jwt/v4: v4.4.2 was changed to v4.5.0
      • github.com/golang/protobuf: v1.5.3 was changed to v1.5.4
      • github.com/google/cel-go: v0.12.6 was changed to v0.17.7
      • github.com/google/gnostic: v0.6.9 was changed to v0.5.7-v3refs
      • github.com/gorilla/websocket: v1.4.2 was changed to v1.5.0
      • github.com/hashicorp/go-hclog: v1.2.0 was changed to v1.6.3
      • github.com/hashicorp/go-retryablehttp: v0.7.2 was changed to v0.7.7
      • github.com/imdario/mergo: v0.3.12 was changed to v0.3.13
      • github.com/mattn/go-isatty: v0.0.17 was changed to v0.0.20
      • github.com/onsi/ginkgo/v2: v2.9.5 was changed to v2.13.0
      • github.com/onsi/gomega: v1.27.7 was changed to v1.29.0
      • github.com/prometheus/client_golang: v1.15.1 was changed to v1.16.0
      • github.com/prometheus/common: v0.42.0 was changed to v0.44.0
      • github.com/prometheus/procfs: v0.9.0 was changed to v0.10.1
      • github.com/sirupsen/logrus: v1.9.0 was changed to v1.9.3
      • github.com/spf13/cobra: v1.7.0 was changed to v1.8.0
      • go.etcd.io/bbolt: v1.3.6 was changed to v1.3.8
      • go.etcd.io/etcd/api/v3: v3.5.7 was changed to v3.5.10
      • go.etcd.io/etcd/client/pkg/v3: v3.5.7 was changed to v3.5.10
      • go.etcd.io/etcd/client/v2: v2.305.7 was changed to v2.305.10
      • go.etcd.io/etcd/client/v3: v3.5.7 was changed to v3.5.10
      • go.etcd.io/etcd/pkg/v3: v3.5.7 was changed to v3.5.10
      • go.etcd.io/etcd/raft/v3: v3.5.7 was changed to v3.5.10
      • go.etcd.io/etcd/server/v3: v3.5.7 was changed to v3.5.10
      • go.uber.org/atomic: v1.9.0 was changed to v1.10.0
      • go.uber.org/multierr: v1.6.0 was changed to v1.11.0
      • golang.org/x/exp: a1ab85d was changed to a9213ee
      • gopkg.in/natefinch/lumberjack.v2: v2.0.0 was changed to v2.2.1
      • k8s.io/api: v0.27.2 was changed to v0.29.7
      • k8s.io/apiextensions-apiserver: v0.27.2 was changed to v0.29.7
      • k8s.io/apimachinery: v0.27.2 was changed to v0.29.7
      • k8s.io/apiserver: v0.27.2 was changed to v0.29.7
      • k8s.io/client-go: v0.27.2 was changed to v0.29.7
      • k8s.io/code-generator: v0.27.2 was changed to v0.29.7
      • k8s.io/component-base: v0.27.2 was changed to v0.29.7
      • k8s.io/gengo: c0856e2 was changed to 9cce18d
      • k8s.io/klog/v2: v2.100.1 was changed to v2.110.1
      • k8s.io/kms: v0.27.2 was changed to v0.29.7
      • k8s.io/kube-aggregator: v0.27.2 was changed to v0.29.7
      • k8s.io/kube-openapi: 54b630e was changed to 2dd684a
      • k8s.io/utils: 9f67429 was changed to 3b25d92
      • sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.1.2 was changed to v0.28.0
      • sigs.k8s.io/structured-merge-diff/v4: v4.2.3 was changed to v4.4.1
    • Removed

      • github.com/antlr/antlr4/runtime/Go/antlr: v1.4.10
      • github.com/buger/jsonparser: v1.1.1
      • github.com/docopt/docopt-go: ee0de3b
      • github.com/flowstack/go-jsonschema: v0.1.1
      • github.com/xhit/go-str2duration: v1.2.0
      • go.opentelemetry.io/otel/exporters/otlp/internal/retry: v1.10.0
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.12.13
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.12.13
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.12.13
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.12.13
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.12.13
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.12.13
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.12.13
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.12.13
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.12.13
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.12.13
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.12.13
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.12.13
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.12.13
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.12.13

Release 1.12.12

cert-manager 1.12.12 was released on June 21, 2024.

Key features

  • This patch release fixes the following vulnerability in the Microsoft Azure SDK: CVE-2024-35255.
  • This release also fixes an issue that caused the HashiCorp Vault issuer not to retry signing when an error was encountered.
  • This release updates the go-jose library dependency to v3.0.3.
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.12.12
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.12.12
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.12.12
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.12.12
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.12.12
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.12.12
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.12.12
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.12.12
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.12.12
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.12.12
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.12.12
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.12.12
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.12.12
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.12.12

Release 1.12.11

cert-manager 1.12.11 was released on June 5, 2024.

Key features

  • This release upgrades Go to 1.21.11, to fix GO-2024-2824 and bring in security fixes for archive/zip and net/netip.
Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.12.11
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.12.11
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.12.11
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.12.11
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-startupapicheck:v1.12.11
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.12.11
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.12.11
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.12.11
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.12.11
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.12.11
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.12.11
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.12.11
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.12.11
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.12.11

Release 1.12.10

cert-manager 1.12.10 was released on April 25, 2024.

Key features

  • This patch release fixes a bug in the DigitalOcean DNS-01 provider, which could cause incorrect DNS records to be deleted when using a domain with a CNAME.
  • This release also updates golang.org/x/net to the latest golang patch version - 1.21.9. This update addresses CVE-2023-45288.

Known Issue

The wrong certificate chain may be used if preferredChain is configured for ACME Issuer (Let's Encrypt). For more information, see the 1.14.4 release notes.

Downloads
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-controller:v1.12.10
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-acmesolver:v1.12.10
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-cainjector:v1.12.10
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-webhook:v1.12.10
  • Container Image: private-registry.venafi.cloud/cert-manager/cert-manager-ctl:v1.12.10
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.12.10
  • Helm Chart: oci://private-registry.venafi.cloud/charts/cert-manager:v1.12.10
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-controller:v1.12.10
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-acmesolver:v1.12.10
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-cainjector:v1.12.10
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-webhook:v1.12.10
  • Container Image: private-registry.venafi.eu/cert-manager/cert-manager-startupapicheck:v1.12.10
  • Helm Chart: oci://registry.venafi.cloud/charts/cert-manager:v1.12.10
  • Helm Chart: oci://private-registry.venafi.eu/charts/cert-manager:v1.12.10