PREQUEL-2025-0094

cert-manager Cloudflare DNS cleanup failureHigh

Impact: 8/10

Mitigation: 4/10

PREQUEL-2025-0094View on GitHub

CloudflareCert-ManagerPublicAPI Deprecation

Description

cert-manager is unable to clean up Cloudflare DNS-01 challenges due to a change in the Cloudflare API, which no longer returns zone information in individual DNS records. This breaks the interaction when cert-manager attempts to delete the TXT record, resulting in a failed certificate generation.

Cause

• Cloudflare API change: zone information is no longer returned in individual DNS records.
• cert-manager's Cloudflare DNS-01 challenge implementation relies on the deprecated API behavior.

Mitigation

• Update cert-manager to a version that supports the new Cloudflare API behavior.
• This issue is fixed in cert-manager v1.17.2.

References

• https://developers.cloudflare.com/fundamentals/api/reference/deprecations/#2024-11-30
• https://github.com/cert-manager/cert-manager/blob/master/pkg/issuer/acme/dns/cloudflare/cloudflare.go#L194
• https://github.com/cert-manager/cert-manager/issues/7540