Release 1.18

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.18 introduces several new features and breaking changes. Highlights include support for ACME certificate profiles, a new default for Certificate.Spec.PrivateKey.RotationPolicy now set to Always (breaking change), and the default Certificate.Spec.RevisionHistoryLimit now set to 1 (potentially breaking). Be sure to review all new features and changes below, and read the full release notes carefully before upgrading.

Known Issues

ACME HTTP01 challenge paths are rejected by the ingress-nginx validating webhook

🐛 See cert-manager/issues/7791.

In cert-manager v1.18.0, we changed the default PathType from ImplementationSpecific to Exact, in the Ingress routes that are created by the ACME HTTP01 challenge controller. This was to support Ingress controllers such as Cilium, which treat ImplementationSpecific paths as regular expressions.

But the change is incompatible with certain versions and configurations of the ingress-nginx Ingress controller. Versions of ingress-nginx >=1.8.0 support a strict-validate-path-type configuration option which, when enabled, disallows . (dot) in the path value. This is a bug which makes it impossible to use various legitimate URL paths, including the http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN> URLs used for ACME HTTP01. To make matters worse, the buggy validation is enabled by default in ingress-nginx >= 1.12.0.

We are working on a fix. The next cert-manager patch release v1.18.1 (release date is yet to be decided) will gate the PathType: Exact change behind a feature gate, which will be enabled by default. This will allow you to reinstate the old PathType: ImplementationSpecific behavior, by disabling the feature gate.

Meanwhile, you have two options:

1. Do not upgrade cert-manager. Continue to use cert-manager 1.17.
2. Disable the strict-validate-path-type option in your ingress-nginx controller.

Major Themes

ACME Certificate Profiles

cert-manager now supports the selection of ACME certificate profiles, allowing users to request different categories of certificates from their ACME Certificate Authority. This enhancement leverages the latest ACME protocol extension for certificate profiles (IETF draft) and is supported by Let's Encrypt and other providers. For example, Let's Encrypt offers the tlsserver profile for standard server certificates and the shortlived profile for short-lived six-day certificates. These new options provide users with greater flexibility and improved security for their certificate management needs.

📖 Learn more by visiting the ACME Issuer documentation.

The default value of Certificate.Spec.PrivateKey.RotationPolicy is now Always

⚠️ Breaking change

We have changed the default value of Certificate.Spec.PrivateKey.RotationPolicy from Never to Always.

Why? Because the old default was unintuitive and insecure. For example, if a private key is exposed, users may (reasonably) assume that re-issuing a certificate (e.g. using cmctl renew) will generate a new private key, but it won't unless the user has explicitly set rotationPolicy: Always on the Certificate resource.

This change is feature gated and is enabled by default, because it has been fast-tracked to beta status.

Users who want to preserve the old default have two options:

1. Explicitly set rotationPolicy: Never on your Certificate resources.
2. Turn off the feature gate in this release and explicitly set rotationPolicy: Never on your Certificates before release 1.19. In release 1.19, the feature will be marked as GA and it will no longer be possible to turn off the feature.

The following Helm chart values can be used to turn off the feature gate:

# values.yaml
config:
  featureGates:
    DefaultPrivateKeyRotationPolicyAlways: false

ℹ️ The old default value Never was always intended to be changed before API v1, as can be seen in the description of the original PR:

For backward compatibility, the empty value is treated as 'Never' which matches the behavior we have today. In a future API version, we can flip this default to be Always.

📖 See Issue: 7601: Change PrivateKey.RotationPolicy to default to Always to read the proposal for this change and the discussion around it.

📖 Read cert-manager component configuration to learn more about feature gates.

📖 Read our updated API compatibility statement which now reflects our new, more flexible, approach to changing API defaults, with a view to introducing other "sane" default API values in future releases.

📖 Read Issuance behavior: Rotation of the private key to learn more about private key rotation in cert-manager.

The default value of Certificate.Spec.RevisionHistoryLimit is now 1

⚠️ Potentially breaking change

The default value for the Certificate resource's revisionHistoryLimit field is now set to 1. This ensures that old CertificateRequest revisions are automatically garbage collected, improving resource management and reducing clutter in clusters. Previously, if not specified, no limit was applied, potentially leading to an accumulation of stale CertificateRequest resources. With this update, users no longer need to manually configure the revision history limit to benefit from automated cleanup.

When you upgrade to cert-manager 1.18, all stale CertificateRequest resources will be garbage collected, unless you explicitly set the revisionHistoryLimit value on your Certificate resources.

Copy annotations from Ingress or Gateway to the Certificate

We've added a new configuration option to the cert-manager controller: --extra-certificate-annotations, which allows you to specify annotation keys to be copied from an Ingress or Gateway resource to the resulting Certificate object. Read Annotated Ingress resource: Copy annotations to the Certificate, and Annotated Gateway resource: Copy annotations to the Certificate, to learn more.

Community

As always, we'd like to thank all of the community members who helped in this release cycle, including all below who merged a PR and anyone that helped by commenting on issues, testing, or getting involved in cert-manager meetings. We're lucky to have you involved.

A special thanks to:

• @terinjokes
• @solidDoWant
• @k0da
• @ali-hamza-noor
• @tareksha
• @ThatsIvan
• @jsoref
• @jcpunk
• @teslaedison
• @NicholasBlaskey
• @sspreitzer
• @tsaarni
• @johnjcool
• @LukeCarrier
• @tobiasbp
• @vehagn
• @cuinix

for their contributions, comments and support!

Also, thanks to the cert-manager maintainer team for their help in this release:

• @inteon
• @erikgb
• @SgtCoDFish
• @ThatsMrTalbot
• @munnerz
• @maelvls

And finally, thanks to the cert-manager steering committee for their feedback in this release cycle:

• @FlorianLiebhart
• @ssyno
• @ianarsenault
• @TrilokGeer

v1.18.0

Changes since v1.17.2:

Feature

• Add config to the Vault issuer to allow the server-name to be specified when validating the certificates the Vault server presents. (#7663, @ThatsMrTalbot)
• Added app.kubernetes.io/managed-by: cert-manager label to the created Let's Encrypt account keys (#7577, @terinjokes)
• Added certificate issuance and expiration time metrics (certmanager_certificate_not_before_timestamp_seconds, certmanager_certificate_not_after_timestamp_seconds). (#7612, @solidDoWant)
• Added ingress-shim option --extra-certificate-annotations, which sets a list of annotation keys to be copied from Ingress-like to resulting Certificate object (#7083, @k0da)
• Added the iss short name for the cert-manager Issuer resource
• Added the ciss short name for the cert-manager ClusterIssuer resource (#7373, @SgtCoDFish)
• Adds the global.rbac.disableHTTPChallengesRole helm value to disable HTTP-01 ACME challenges. This allows cert-manager to drop its permission to create pods, improving security when HTTP-01 challenges are not required. (#7666, @ali-hamza-noor)
• Allow customizing signature algorithm (#7591, @tareksha)
• Cache the full DNS response and handle TTL expiration in FindZoneByFqdn (#7596, @ThatsIvan)
• Cert-manager now uses a local fork of the golang.org/x/crypto/acme package (#7752, @wallrj)
• Add support for ACME profiles extension. (#7777, @wallrj)
• Promote the UseDomainQualifiedFinalizer feature to GA. (#7735, @jsoref)
• Switched service/servicemon definitions to use port names instead of numbers. (#7727, @jcpunk)
• The default value of Certificate.Spec.PrivateKey.RotationPolicy changed from Never to Always. (#7723, @wallrj)
• Set the default revisionHistoryLimit to 1 for the CertificateRequest revisions (#7758, @ali-hamza-noor)

Documentation

• Fix some comments (#7620, @teslaedison)

Bug or Regression

• Bump go-jose dependency to address CVE-2025-27144. (#7606, @SgtCoDFish)
• Bump golang.org/x/oauth2 to patch CVE-2025-22868.
• Bump golang.org/x/crypto to patch GHSA-hcg3-q754-cr77.
• Bump github.com/golang-jwt/jwt to patch GHSA-mh63-6h87-95cp. (#7638, @NicholasBlaskey)
• Change of the Kubernetes Ingress pathType from ImplementationSpecific to Exact for a reliable handling of ingress controllers and enhanced security. (#7767, @sspreitzer)
• Fix AWS Route53 error detection for not-found errors during deletion of DNS records. (#7690, @wallrj)
• Fix behavior when running with --namespace=<namespace>: limit the scope of cert-manager to a single namespace and disable cluster-scoped controllers. (#7678, @tsaarni)
• Fix handling of certificates with IP addresses in the commonName field; IP addresses are no longer added to the DNS subjectAlternativeName list and are instead added to the ipAddresses field as expected. (#7081, @johnjcool)
• Fix issuing of certificates via DNS01 challenges on Cloudflare after a breaking change to the Cloudflare API (#7549, @LukeCarrier)
• Fixed the certmanager_certificate_renewal_timestamp_seconds metric help text indicating that the metric is relative to expiration time, rather than Unix epoch time. (#7609, @solidDoWant)
• Fixing the service account template to incorporate boolean values for the annotations. (#7698, @ali-hamza-noor)
• Quote nodeSelector values in Helm Chart (#7579, @tobiasbp)
• Skip Gateway TLS listeners in Passthrough mode. (#6986, @vehagn)
• Upgrade golang.org/x/net fixing CVE-2025-22870. (#7619, @depandabot[bot])

Other (Cleanup or Flake)

• ACME E2E Tests: Upgraded Pebble to v2.7.0 and modified the ACME tests to match latest Pebble behavior. (#7771, @wallrj)
• Patch the third_party/forked/acme package with support for the ACME profiles extension. (#7776, @wallrj)
• Promote the AdditionalCertificateOutputFormats feature to GA, making additional formats always enabled. (#7744, @erikgb)
• Remove deprecated feature gate ValidateCAA. Setting this feature gate is now a no-op which does nothing but print a warning log line (#7553, @SgtCoDFish)
• Upgrade golang.org/x/net fixing CVE-2025-22870. (#7619, @depandabot[bot])
• Update kind images to include the Kubernetes 1.33 node image (#7787, @wallrj)
• Upgrade Go to v1.24.4 (#7785, @wallrj)
• Use slices.Contains to simplify code (#7753, @cuinix)