> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# April 21, 2026 - cert-manager chart now uses DNS01 challenges

> cert-manager chart v1.18.0 switches Let's Encrypt ClusterIssuers to DNS01, removing the ingress controller requirement.

Version 1.18.0 of the CoreWeave [cert-manager](/products/cks/clusters/coreweave-charts/cert-manager) Helm chart, which bundles version 1.4.0 of the `cert-issuers` subchart, switches the bundled Let's Encrypt `ClusterIssuers` from `HTTP01` to `DNS01` challenges. `DNS01` is solved through a CoreWeave webhook at `acme.coreweave.com`, so cert-manager no longer needs to present a challenge token over HTTP through a temporary Ingress.

## Overview

Previous versions of the chart configured the bundled `letsencrypt-prod` and `letsencrypt-staging` `ClusterIssuers` to use the `HTTP01` ingress solver. That solver required a working ingress controller and a publicly reachable Ingress so the ACME CA server could fetch a challenge token over HTTP. With version 1.18.0, the bundled issuers use a webhook-based `DNS01` solver instead.

## Changes

* **DNS01 challenges by default**: Bundled `letsencrypt-prod` and `letsencrypt-staging` `ClusterIssuers` use a `dns01.webhook` solver.
* **Ingress controller no longer required for certificate issuance**: The `HTTP01` ingress solver is no longer used, so an ingress controller such as [Traefik](/products/cks/clusters/coreweave-charts/traefik) is no longer a prerequisite for issuing a certificate. An ingress controller is still required to serve HTTPS traffic, but cert-manager can request and renew certificates before one is deployed.
* **Wildcard certificates supported**: The `DNS01` challenge type supports wildcard certificates, which were not possible with the previous `HTTP01` configuration.
* **No public challenge endpoint**: Because the challenge is resolved through DNS, cert-manager does not create a temporary Ingress or expose a token over HTTP during issuance.

## Upgrade

Upgrade to the new chart version with Helm:

```bash theme={"system"}
helm repo update
helm upgrade cert-manager coreweave/cert-manager \
  --namespace cert-manager \
  --version 1.18.0
```

Existing `Certificate` resources that reference the bundled `letsencrypt-prod` or `letsencrypt-staging` `ClusterIssuers` are reissued through `DNS01` on the next renewal. Custom `ClusterIssuers` and `Issuers` defined outside the bundled set are unchanged.