Add documentation for ACME certificate profiles

[wallrj]

Preview:

• https://deploy-preview-1704--cert-manager.netlify.app/docs/releases/release-notes/release-notes-1.18#acme-certificate-profiles
• https://deploy-preview-1704--cert-manager.netlify.app/docs/configuration/acme/#acme-certificate-profiles
• https://deploy-preview-1704--cert-manager.netlify.app/docs/tutorials/acme/nginx-ingress/#step-6---configure-a-lets-encrypt-issuer
• https://deploy-preview-1704--cert-manager.netlify.app/docs/troubleshooting/acme/#common-errors-1

Adds documentation for ACME certificate profiles, updating examples and release notes.

• Inserts profile: tlsserver in various tutorial and example YAML manifests.
• Extends configuration docs with a new “ACME Certificate Profiles” section and adds troubleshooting entries.
• Updates release notes and tutorial markdown to reference profile usage.

[netlify]

✅ Deploy Preview for cert-manager ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	96caf0a
🔍 Latest deploy log	https://app.netlify.com/projects/cert-manager/deploys/6842ffac0e8b4c00086f5b54
😎 Deploy Preview	https://deploy-preview-1704--cert-manager.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull Request Overview

Adds initial support and documentation for ACME certificate profiles, updating examples and release notes.

• Inserts profile: tlsserver in various tutorial and example YAML manifests.
• Extends configuration docs with a new “ACME Certificate Profiles” section and adds troubleshooting entries.
• Updates release notes and tutorial markdown to reference profile usage.

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
public/docs/tutorials/getting-started-aws-letsencrypt/clusterissuer-lets-encrypt-staging.yaml	Add profile: tlsserver in ACME spec
public/docs/tutorials/getting-started-aws-letsencrypt/clusterissuer-lets-encrypt-production.yaml	Add profile: tlsserver in ACME spec
public/docs/tutorials/getting-started-aks-letsencrypt/clusterissuer-lets-encrypt-staging.yaml	Add profile: tlsserver in ACME spec
public/docs/tutorials/getting-started-aks-letsencrypt/clusterissuer-lets-encrypt-production.yaml	Add profile: tlsserver in ACME spec
content/docs/tutorials/getting-started-with-cert-manager-on-google-kubernetes-engine-using-lets-encrypt-for-ingress-ssl/README.md	Add profile: tlsserver to example Issuer specs
content/docs/tutorials/acme/nginx-ingress.md	Display Profile: tlsserver in NGINX ingress guide
content/docs/tutorials/acme/example/staging-issuer.yaml	Document profile comment and field in example
content/docs/tutorials/acme/example/production-issuer.yaml	Document profile comment and field in example
content/docs/troubleshooting/acme.md	Add common errors for profile usage
content/docs/releases/release-notes/release-notes-1.18.md	Rename release notes section for ACME profiles
content/docs/configuration/acme/README.md	Add profile field and documentation for ACME profiles

[SgtCoDFish]

/lgtm
/approve
/hold

One minor comment but no blocker - feel free to unhold and merge or change + ping for another review!

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: SgtCoDFish

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [SgtCoDFish]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wallrj]

For example:

curl -fsSL https://acme-staging-v02.api.letsencrypt.org/directory

{
  "Hqei3unisp0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "profiles": {
      "classic": "https://letsencrypt.org/docs/profiles#classic",
      "shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not yet generally available)",
      "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver"
    },
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}

Google and ZeroSSL do not seem to support them yet:

$ curl -fsSL https://dv.acme-v02.test-api.pki.goog/directory | jq
{
  "newNonce": "https://dv.acme-v02.test-api.pki.goog/new-nonce",
  "newAccount": "https://dv.acme-v02.test-api.pki.goog/new-account",
  "newOrder": "https://dv.acme-v02.test-api.pki.goog/new-order",
  "newAuthz": "https://dv.acme-v02.test-api.pki.goog/new-authz",
  "revokeCert": "https://dv.acme-v02.test-api.pki.goog/revoke-cert",
  "keyChange": "https://dv.acme-v02.test-api.pki.goog/key-change",
  "renewalInfo": "https://dv.acme-v02.test-api.pki.goog/renewal-info",
  "meta": {
    "termsOfService": "https://pki.goog/GTS-SA.pdf",
    "website": "https://pki.goog",
    "caaIdentities": [
      "pki.goog"
    ],
    "externalAccountRequired": true
  }
}

$ curl -fsSL https://acme.zerossl.com/v2/DV90
{
  "newNonce": "https://acme.zerossl.com/v2/DV90/newNonce",
  "newAccount": "https://acme.zerossl.com/v2/DV90/newAccount",
  "newOrder": "https://acme.zerossl.com/v2/DV90/newOrder",
  "revokeCert": "https://acme.zerossl.com/v2/DV90/revokeCert",
  "renewalInfo": "https://ari.trust-provider.com/renewalInfo",
  "keyChange": "https://acme.zerossl.com/v2/DV90/keyChange",
  "meta": {
    "termsOfService": "https://www.sectigo.com/uploads/files/Certificate-Subscriber-Agreement-2.7-click.pdf",
    "website": "https://zerossl.com",
    "caaIdentities": ["sectigo.com", "trust-provider.com", "usertrust.com", "comodoca.com", "comodo.com", "entrust.net", "affirmtrust.com"],
    "externalAccountRequired": true
  }
}

They do both support renewal info though:

• Support the ACME Renewal Information (ARI) extension cert-manager#6010

[wallrj]

I ran through this modified GKE tutorial with the tlsserver ACME profile and observed a leaf certificate with no common name and with only one EKU: "Server Auth", rather than the usual server + client auth.

export DOMAIN_NAME=letsencrypt.richard-gcp.jetstacker.net.

$ step certificate inspect https://$DOMAIN_NAME
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 450806451888162871007521095289091657352712 (0x052ccd147b3f7fab19b5092c008ae318c608)
    Signature Algorithm: SHA256-RSA
        Issuer: C=US,O=Let's Encrypt,CN=R10
        Validity
            Not Before: Jun 6 19:09:55 2025 UTC
            Not After : Sep 4 19:09:54 2025 UTC
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: RSA
                Public-Key: (2048 bit)
 ...
       X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                keyid:BB:BC:C3:47:A5:E4:BC:A9:C6:C3:A4:72:0C:10:8D:A2:35:E1:C8:E8
            Authority Information Access:
                CA Issuers - URI:http://r10.i.lencr.org/
            X509v3 Subject Alternative Name: critical
                DNS:letsencrypt.richard-gcp.jetstacker.net

I updated the tutorial a little while I was there: #1705

[erikgb]

/lgtm

[wallrj]

/unhold