just released cert-manager v1.4.1, fixing a bug which was exposed by
cert-manager v1.4.0 but which had been around in the codebase since
Most certificates are unlikely be
affected, but you should probably upgrade from v1.4.0 to v1.4.1 to be
safe. The bug arises when a non-root certificate has the same subject DN
as its issuer.
For example, the bug is triggered if a
leaf certificate whose DN is a CommonName set to "abc" is issued by an
intermediate certificate whose DN matches exactly. If you hit the bug,
the effect will be a failure to issue or renew the certificate in
For more detail, see this issue: https://github.com/jetstack/cert-manager/issues/4142
again to everyone who reported this issue and helped us diagnose and
fix it! As ever, if you have any questions please feel free to reach out
in #cert-manager on Kubernetes Slack.