๐Ÿ“‹ Recommended Actions

โš ๏ธ Action Required
Immediate upgrade recommended to ensure certificate name constraints are correctly applied, enhancing the security and validity of issued certificates.

cert-manager v1.17.4 is a targeted patch release addressing a critical bug in how URI name constraints are applied during certificate signing request (CSR) generation. Previously, Permitted.URIDomains were incorrectly treated as excluded, potentially leading to misconfigurations in certificate issuance policies. This fix ensures that your defined URI name constraints are honored as intended, bolstering the integrity and security of your issued certificates.

๐Ÿ”’ Corrected Name Constraints for URI Domains

In the world of certificate management, name constraints are a vital security feature, allowing you to restrict the set of names that can appear in certificates issued by a given CA. They ensure that your certificates adhere to strict policies, preventing unintended scope or misissuance. This v1.17.4 release delivers a crucial fix that ensures URI name constraints are correctly interpreted and applied by cert-manager. Previously, your specified Permitted.URIDomains were erroneously being processed as ExcludedURIDomains, which could lead to certificates being rejected or issued with incorrect constraints. This update guarantees that when you define a set of permitted URI domains, cert-manager will now respect that permission, aligning certificate issuance with your intended security policies.

The underlying issue stemmed from a logical error in the certificate signing request (CSR) generation process. When crt.Spec.NameConstraints.Permitted.URIDomains were configured, they were mistakenly assigned to the nameConstraints.ExcludedURIDomains field of the x509.CertificateRequest structure. This meant that any URIs you intended to permit were instead being excluded from the generated certificates. The fix involves a straightforward but impactful change: the Permitted.URIDomains are now correctly assigned to nameConstraints.PermittedURIDomains.

Before (incorrect behavior):

nameConstraints.ExcludedURIDomains = crt.Spec.NameConstraints.Permitted.URIDomains

After (correct behavior):

nameConstraints.PermittedURIDomains = crt.Spec.NameConstraints.Permitted.URIDomains

This change is vital for users relying on URI name constraints to enforce strict domain policies, ensuring that certificates are issued with the precise scope and security boundaries you define.

Source:

  • pkg/util/pki/csr.go (lines 303)

Minor Updates & Housekeeping

This release is a highly targeted patch that focuses solely on rectifying the critical name constraints bug. There are no other general housekeeping updates or dependency bumps included in this specific version.