cert-manager(v1.18.4): Crucial Security Patches and ACME Protocol Enhancements

📋 Recommended Actions

⚠️ Action Required
Immediate upgrade is strongly recommended to address multiple high-severity security vulnerabilities. Review updates to the vendored ACME client, particularly the deprecation of TLS-SNI-01 and TLS-SNI-02 challenge types, which may impact custom ACME integrations.

📝 Summary

cert-manager v1.18.4 lands with vital security fixes and significant ACME protocol updates. This release addresses multiple high-severity CVEs in the underlying Go toolchain and various golang.org/x dependencies, demanding your prompt attention to safeguard your Kubernetes clusters. Beyond security, we’ve refined ACME challenge handling, notably deprecating the insecure TLS-SNI-01 and TLS-SNI-02 challenge types. On the bright side, TLS-ALPN-01 now gracefully supports IP address identifiers, expanding its utility for diverse network configurations. Core components also see a Go version bump and updated distroless base images, boosting overall stability. Upgrade now to secure your certificate management and benefit from improved ACME capabilities.

🔒 Critical Security Updates: Go Toolchain & Core Dependencies

🔒 Security Advisory
CVE ID: CVE-2025-61727, CVE-2025-61729, CVE-2025-47914, CVE-2025-58181
CVSS Score: 7.5 (High)

This release brings essential security enhancements by upgrading the underlying Go toolchain and critical golang.org/x dependencies. These updates are pivotal in addressing multiple high-severity CVEs, fortifying cert-manager against potential vulnerabilities and ensuring a more robust and secure certificate issuance environment for your clusters.

cert-manager now leverages Go v1.24.11, specifically incorporating fixes for known vulnerabilities, including CVE-2025-61727, CVE-2025-61729, CVE-2025-47914, and CVE-2025-58181. Beyond the Go runtime, key dependencies such as golang.org/x/crypto, golang.org/x/net, golang.org/x/sync, golang.org/x/sys, golang.org/x/term, golang.org/x/text, golang.org/x/mod, and golang.org/x/tools have all been bumped to their latest stable versions, absorbing a broad spectrum of security patches and performance improvements. These updates are crucial for maintaining a strong security posture in your cloud-native deployments.

Source:

• make/_shared/tools/00_mod.mk (172, 395-400)
• go.mod (1-2, 38-46)
• cmd/controller/go.mod (1-2, 146-154)

⚠️ ACME Protocol Updates: Deprecations and IP Address Support

This release overhauls how cert-manager handles certain ACME challenge types, enhancing security and expanding versatility. We’ve officially deprecated older, less secure challenge methods and boosted the capabilities of current standards. Specifically, the long-deprecated and insecure TLS-SNI-01 and TLS-SNI-02 challenge types are now explicitly unsupported, ensuring you’re using more robust validation methods. Concurrently, the TLS-ALPN-01 challenge has been upgraded to natively support IP address identifiers, making it more flexible for non-DNS-based certificate requests.

The vendored ACME client (github.com/cert-manager/cert-manager/third_party/forked/acme) no longer supports TLS-SNI-01 and TLS-SNI-02 challenges, with relevant functions now returning errors to encourage migration to more secure methods like TLS-ALPN-01 or HTTP-01. For TLS-ALPN-01 challenges, the client can now provision certificates for both DNS names and IP addresses, by dynamically adapting the certificate’s Subject Alternative Names (SANs) based on the identifier provided. Additionally, the internal autocert package has been removed, streamlining the codebase and focusing on cert-manager’s custom, robust certificate management logic. This also fixes the OrderError to include more problem details for better debugging.

Here’s how TLSALPN01ChallengeCert now handles an IP identifier:

func (c *Client) TLSALPN01ChallengeCert(token, identifier string, opt ...CertOption) (cert tls.Certificate, err error) {
    // ... existing logic ...
    tmpl.ExtraExtensions = append(tmpl.ExtraExtensions, acmeExtension)
    newOpt = append(newOpt, WithTemplate(tmpl))
    return tlsChallengeCert(identifier, newOpt)
}

func tlsChallengeCert(identifier string, opt []CertOption) (tls.Certificate, error) {
    // ... existing logic ...
    if ip := net.ParseIP(identifier); ip != nil {
        tmpl.IPAddresses = []net.IP{ip}
    } else {
        tmpl.DNSNames = []string{identifier}
        tmpl.Subject.CommonName = identifier
    }
    // ... certificate creation ...
}

Source:

• third_party/forked/acme/acme.go (574-577, 586-589, 625-658, 788-804)
• third_party/forked/acme/rfc8555.go (282-283, 379-380)
• third_party/forked/acme/types.go (163-167)
• third_party/forked/acme/autocert/autocert.go (1-1199)
• third_party/forked/acme/autocert/autocert_test.go (1-996)
• third_party/forked/acme/autocert/cache.go (1-135)
• third_party/forked/acme/autocert/cache_test.go (1-66)
• third_party/forked/acme/autocert/example_test.go (1-35)
• third_party/forked/acme/autocert/internal/acmetest/ca.go (1-796)
• third_party/forked/acme/autocert/listener.go (1-135)
• third_party/forked/acme/autocert/renewal.go (1-156)
• third_party/forked/acme/autocert/renewal_test.go (1-269)

Minor Updates & Housekeeping

This release also updates distroless base image digests across all architectures for enhanced security, improves internal test context handling from context.TODO() to t.Context(), and includes build system fixes for macOS to ensure make update-third-party runs smoothly.