Sourced from github.com/cert-manager/cert-manager's releases.

v1.19.1

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

We reverted the CRD-based API defaults for Certificate.Spec.IssuerRef and CertificateRequest.Spec.IssuerRef after they were found to cause unexpected certificate renewals after upgrading to 1.19.0. We will try re-introducing these API defaults in cert-manager 1.20. We fixed a bug that caused certificates to be re-issued unexpectedly if the issuerRef kind or group was changed to one of the "runtime" default values. We upgraded Go to 1.25.3 to address the following security vulnerabilities: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.

📖 Read the full 1.19 release notes on the cert-manager.io website before upgrading.

Changes since v1.19.0:

Bug or Regression

• BUGFIX: in case kind or group in the issuerRef of a Certificate was omitted, upgrading to 1.19.x incorrectly caused the certificate to be renewed (#8175, @​cert-manager-bot)
• Bump Go to 1.25.3 to fix a backwards incompatible change to the validation of DNS names in X.509 SAN fields which prevented the use of DNS names with a trailing dot (#8177, @​wallrj-cyberark)
• Revert API defaults for issuer reference kind and group introduced in 0.19.0 (#8178, @​cert-manager-bot)

• a22e21e Merge pull request #8180 from cert-manager-bot/cherry-pick-8168-to-release-1.19
• e1390a4 fix(deps): update module github.com/venafi/vcert/v5 to v5.12.2
• 36e4265 Merge pull request #8179 from cert-manager-bot/cherry-pick-8164-to-release-1.19
• 3416dd0 fix(deps): update module sigs.k8s.io/controller-runtime to v0.22.3
• 4a63715 Merge pull request #8178 from cert-manager-bot/cherry-pick-8173-to-release-1.19
• a48b6fc REVERT: API defaults for issuer reference kind and group
• 4706a48 Merge pull request #8177 from wallrj-cyberark/release-1.19-upgrade-go
• bdfb708 [release-1.19] Disable generate-klone so we can manually update Go versions
• 43825b6 [release-1.19] bump Go to 1.25.3
• de44c90 Merge pull request #8175 from cert-manager-bot/cherry-pick-8160-to-release-1.19
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)