๐ Recommended Actions
โ ๏ธ Action Required
Immediate upgrade recommended for all users relying on Cloudflare DNS01 challenges to restore functionality and ensure uninterrupted certificate issuance.
This cert-manager v1.17.1 patch release delivers a crucial fix for users leveraging Cloudflare DNS01 challenges. Due to a recent breaking API change from Cloudflare, cert-manager v1.17.0 and earlier versions were experiencing issues with certificate issuance via this method. This update ensures seamless operation for your ACME certificates, alongside a standard bump to the Go toolchain to v1.23.6.
๐ Cloudflare DNS01 Challenge Fix: Adapting to API Changes
If you’ve been experiencing issues with cert-manager failing to issue certificates using the Cloudflare DNS01 solver, this release is for you! Cloudflare recently implemented a breaking change to their API, specifically removing the ZoneID from certain responses. This external change impacted how cert-manager identified and managed DNS records, leading to failed ACME challenges. This v1.17.1 patch restores full functionality, ensuring your certificates are issued without a hitch.
To mitigate the issue, cert-manager now explicitly sets the ZoneID when processing DNS records returned by Cloudflare’s API. This small but critical adjustment ensures that the cert-manager controller correctly correlates the DNS record with its associated zone, allowing the ACME challenge to complete successfully. The fix is transparent to users; simply upgrading to v1.17.1 will resolve the problem.go// Cloudflare made a breaking change to their API and removed the ZoneID from responses:// https://developers.cloudflare.com/fundamentals/api/reference/deprecations/#2024-11-30// The simplest fix is to set the ZoneID manually here_ = rec.ZoneID = zoneID
Source:
pkg/issuer/acme/dns/cloudflare/cloudflare.go(lines 233-237)
Minor Updates & Housekeeping
This release also includes a routine upgrade of the Go toolchain to v1.23.6, bringing general performance improvements and bug fixes from the upstream Go project. Additionally, an internal build system adjustment was made to disable the automatic klone generation step, allowing more flexible manual version updates for internal dependencies.