PREQUEL-2025-0094

cert-manager Cloudflare DNS cleanup failureHigh
Impact: 8/10
Mitigation: 4/10

PREQUEL-2025-0094View on GitHub

Cloudflare Cert-Manager Public API Deprecation

Description

cert-manager is unable to clean up Cloudflare DNS-01 challenges due to a change in the Cloudflare API, which no longer returns zone information in individual DNS records. This breaks the interaction when cert-manager attempts to delete the TXT record, resulting in a failed certificate generation.\n

Mitigation

- Update cert-manager to a version that supports the new Cloudflare API behavior.\n- This issue is fixed in cert-manager v1.17.2.\n

References

https://developers.cloudflare.com/fundamentals/api/reference/deprecations/#2024-11-30
https://github.com/cert-manager/cert-manager/blob/master/pkg/issuer/acme/dns/cloudflare/cloudflare.go#L194
https://github.com/cert-manager/cert-manager/issues/7540