cert-manager releases¶

Learn about current and past releases of cert-manager.

Latest cert-manager release¶

The latest stable release of cert-manager is v1.15.1.

Downloads¶

Release 1.15.1¶

cert-manager 1.15.1 was released on June 26, 2024.

Key features¶

• This patch release fixes the following vulnerability in the Microsoft Azure SDK: CVE-2024-35255.
• This release also fixes an issue that caused the HashiCorp Vault issuer not to retry signing when an error was encountered.
• The go-retryablehttp dependency was updated to v.0.7.7 to fix the following vulnerability: CVE-2024-6104.

Release 1.15.0¶

cert-manager 1.15.0 was released on June 5, 2024.

Breaking changes¶

Before upgrading cert-manager from 1.14.x to 1.15.0, please read the following important notes about breaking changes in 1.15.0:

GatewayAPI support¶

GatewayAPI support has been promoted to Beta, and thus the feature flag ExperimentalGatewayAPISupport is now enabled by default.

If you enabled this feature flag in version 1.14, you will now need to pass the flag --enable-gateway-api instead. This is because, while the feature is now enabled by default, cert-manager will not crash if the GatewayAPI CRDs are not installed.

CRD retention¶

Helm will now keep the CRDs when you uninstall cert-manager by default to prevent accidental data loss. New crds.keep and crds.enabled Helm options were added to replace the installCRDs option.

cmctl¶

The cert-manager CLI has moved to a new GitHub repository for this release.

From this release, cmctl is no longer to be released with cert-manager itself, and there will no further quay.io/jetstack/cert-manager-ctl OCI images.

For the startupapicheck Job you should update references to point at quay.io/jetstack/cert-manager-startupapicheck.

Key features¶

• GatewayAPI support has graduated to Beta. The ExperimentalGatewayAPISupport feature flag is now enabled by default. An --enable-gateway-api flag / configuration file option has been added, this is disabled by default.
• This release adds support for numeric OID types in LiteralSubject. For example: 1.2.3.4=String Value.
• Updated the Route53 provider to support fetching credentials using AssumeRoleWithWebIdentity.
• cert-manager now supports specifying a custom key alias in a JKS Keystore.
• You can now communicate with HashiCorp Vault using mTLS when strict client certificates is enabled on Vault server side.
• There is now an option to provide additional audiences in the service account authentication section for HashiCorp Vault.

• Venafi Enhanced Issuer now sends a cert-manager HTTP User Agent header in all Venafi Rest API requests.

  For example: cert-manager-certificaterequests-issuer-venafi/v1.15.0+(linux/amd64)+cert-manager/ef068a59008f6ed919b98a7177921ddc9e297200.

• A new Ingress annotation was added for copying specific Ingress annotations to Certificate's secretTemplate.

• The LiteralCertificateSubject feature is now promoted to Beta.
• cert-manager.io/allow-direct-injection is now allowed in annotations.
• If the --controllers flag only specifies disabled controllers, the default controllers are now enabled implicitly.
• disableAutoApproval and approveSignerNames Helm chart options are now available.
• A hint was added to validation error messages to help users of external issuers troubleshoot issues more easily if they specify a Kind but forget the Group.
• The Helm chart now allows you to supply extraObjects. A list of YAML manifests that Helm will install and uninstall with the cert-manager manifests.
• Optional hostAliases was added to the cert-manager pod to allow the DNS self-check to pass in custom scenarios.

Bug fixes¶

• DigitalOcean: Ensure that only TXT records are considered for deletion when cleaning up after an ACME challenge.
• Fixed unintended certificate chain is used if preferredChain is configured.
• A fix for ACME issuer waiting for DNS propagation when using Azure DNS with multiple instances issuing for the same FQDN.
• Fixed issue with JSON-logging where only a subset of the log messages were output as JSON.
• JKS and PKCS12 stores now contain the full set of CAs specified by an issuer.
• Fixed an issue where the cainjector leaderelection flag/configuration option defaults were missing.
• Corrected an issue where cert-manager issuers incorrectly copied the critical flag from the CSR instead of re-calculating that field themselves.
• Updated cert-manager to fix an issue where LiteralSubjects with a #= value can result in memory issues due to faulty BER parser.
• Fixed backwards incompatible removal of default prometheus Service resource.
• Fixed the broken cainjector image value in the Helm chart.
• Added a fix to ensure Azure SDK error messages are stable.
• When using the literalSubject on a Certificate, the webhook validation for the common name now also points to the literalSubject.
• Fixed an error in the logic that differentiates between 0 and an empty value in Helm.

Other¶

• crds.keep and crds.enabled Helm options were added to replace the installCRDs option.
• Remove deprecated pkg/util/pki/ParseSubjectStringToRawDERBytes function.

• The following components were upgraded in this release:

  • Kind was upgraded to v0.23.0.
  • Go was upgraded to v1.22.4 to fix GO-2024-2824 / CVE-2024-24788.
  • golang.org/x/net was upgraded to v0.24.0 fix CVE-2023-45288
  • github.com/go-jose/go-jose was upgraded to v3.0.3 to fix CVE-2024-28180
  • google.golang.org/protobuf was upgraded to v1.33.0 fix GO-2024-2611 / CVE-2024-24786

Release 1.14.7¶

cert-manager 1.14.7 was released on June 21, 2024.

Key features¶

• This patch release fixes the following vulnerability in the Microsoft Azure SDK: CVE-2024-35255.
• This release also fixes an issue that caused the HashiCorp Vault issuer not to retry signing when an error was encountered.

Release 1.14.6¶

cert-manager 1.14.6 was released on June 5, 2024.

Key features¶

• This release upgrades Go to 1.21.11, to fix GO-2024-2824 and bring in security fixes for archive/zip and net/netip.
• Helm: the cainjector ConfigMap was not mounted in the cainjector deployment.

Release 1.14.5¶

cert-manager 1.14.5 was released on April 25, 2024.

Key features¶

• This patch release fixes a bug in the DigitalOcean DNS-01 provider, which could cause incorrect DNS records to be deleted when using a domain with a CNAME.
• This release also updates golang.org/x/net to the latest golang patch version - 1.21.9. This update addresses CVE-2023-45288.

Release 1.14.4¶

cert-manager 1.14.4 was released on March 7, 2024.

Key features¶

• This release allows 'cert-manager.io/allow-direct-injection' in annotations.
• An issue where JKS and PKCS12 stores did not contain the full set of CAs specified by an issuer was fixed.
• An issue was also corrected where the cainjector leader election flag/configuration option defaults were missing.
• This release upgrades the versions of Helm to v3.14.2, Go to v1.21.8, and google.golang.org/protobuf to v1.33.0.

Release 1.14.3¶

cert-manager 1.14.3 was released on February 23, 2024.

Key features¶

• This release fixes an issue with JSON-logging, where only a subset of the log messages were outputted as JSON.
• This release also corrects an issue where LiteralSubjects with a #= value can result in memory issues due to a faulty BER parser.

Release 1.14.2¶

cert-manager 1.14.2 was released on February 8, 2024.

Key features¶

• The release fixes an issue where cert-manager CA and SelfSigned issuers incorrectly copied the critical flag from the CSR instead of re-calculating that field.
• This release also corrects an issue with the Helm trick used to differentiate between 0 and an empty value.

Release 1.14.1¶

cert-manager 1.14.1 was released on February 2, 2024.

Key features¶

cert-manager 1.14.1 brings a variety of features, security improvements and bug fixes, including support for creating X.509 certificates with Other Name fields, and support for creating CA certificates with Name Constraints and Authority Information Accessors extensions.

• New X.509 features

  • The cert-manager certificate resource now allows you to configure a subset of "Other Name" SANs, which are described in the Subject Alternative Name section of RFC 5280 (on page 37).

  • We specifically support any otherName type with a UTF-8 value, such as the User Principal Name or sAMAccountName. These are useful when issuing unique certificates for authenticating with LDAP systems such as Microsoft Active Directory. For example you can create certificates with this block in the spec:

    otherNames:
        - oid: 1.3.6.1.4.1.311.20.2.3 # UPN OID
        utf8Value: upn@domain.local
    

    The feature is still in alpha stage and requires you to enable the OtherName feature flag in the controller and webhook components.

• New CA certificate features

  • You can now specify the X.509 v3 Authority Information Accessors extension, with URLs for certificates issued by the CA issuer.

  • Users can now use name constraints in CA certificates. To know more details on name constraints check out RFC 5280 section 4.2.1.10.

• Security updates

  • An ongoing security audit of the cert-manager code revealed some weaknesses which were addressed in this release, such as using more secure default settings in the HTTP servers that serve metrics, healthz and pprof endpoints. This will help mitigate denial-of-service attacks against those services.

  • All the cert-manager containers are now configured with read-only root file system by default, to prevent unexpected changes to the file system of the OCI image.

  • It is now possible to configure the metrics server to use HTTPS rather than HTTP, so that clients can verify the identity of the metrics server.

• Miscellaneous

  • The liveness probe of the cert-manager controller Pod is now enabled by default.

  • There is a new option .spec.keystores.pkcs12.algorithms to specify encryption and MAC algorithms for PKCS.

  • The KeyUsage and BasicConstraints extensions are now encoded as critical in the CertificateRequest's CSR blob.

  • cert-manager 1.14.1 fixes issues in the Helm chart, as well as minor issues in cmctl.

Release 1.13.6¶

cert-manager 1.13.6 was released on April 25, 2024.

Key features¶

• This patch release fixes a bug in the DigitalOcean DNS-01 provider, which could cause incorrect DNS records to be deleted when using a domain with a CNAME.
• This release also updates golang.org/x/net to the latest golang patch version - 1.21.9. This update addresses CVE-2023-45288.

Release 1.13.3¶

cert-manager 1.13.3 was released on December 11, 2023.

Key features¶

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

• GO-2023-2334: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

• CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Release 1.12.12¶

cert-manager 1.12.12 was released on June 21, 2024.

Key features¶

• This patch release fixes the following vulnerability in the Microsoft Azure SDK: CVE-2024-35255.
• This release also fixes an issue that caused the HashiCorp Vault issuer not to retry signing when an error was encountered.
• This release updates the go-jose library dependency to v3.0.3.

Release 1.12.11¶

cert-manager 1.12.11 was released on June 5, 2024.

Key features¶

• This release upgrades Go to 1.21.11, to fix GO-2024-2824 and bring in security fixes for archive/zip and net/netip.

Release 1.12.10¶

cert-manager 1.12.10 was released on April 25, 2024.

Key features¶

• This patch release fixes a bug in the DigitalOcean DNS-01 provider, which could cause incorrect DNS records to be deleted when using a domain with a CNAME.
• This release also updates golang.org/x/net to the latest golang patch version - 1.21.9. This update addresses CVE-2023-45288.