diff --git a/tools/deployment/developer/common/900-use-it.sh b/tools/deployment/developer/common/900-use-it.sh
index dc47340a5b..9f95fc7ffc 100755
--- a/tools/deployment/developer/common/900-use-it.sh
+++ b/tools/deployment/developer/common/900-use-it.sh
@@ -87,9 +87,14 @@ function wait_for_ssh_port {
 }
 wait_for_ssh_port $FLOATING_IP
 
+# accept diffie-hellman-group1-sha1 algo for SSH (cirros image should probably be updated to replace this)
+echo "    KexAlgorithms +diffie-hellman-group1-sha1" | sudo tee -a /etc/ssh/ssh_config
+
 # SSH into the VM and check it can reach the outside world
-ssh-keyscan "$FLOATING_IP" >> ~/.ssh/known_hosts
-ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} ping -q -c 1 -W 2 ${OSH_BR_EX_ADDR%/*}
+# note: ssh-keyscan should be re-enabled to prevent skip host key checking
+#   ssh-keyscan does not use ssh_config so ignore host key checking for now
+#ssh-keyscan "$FLOATING_IP" >> ~/.ssh/known_hosts
+ssh -o "StrictHostKeyChecking no" -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} ping -q -c 1 -W 2 ${OSH_BR_EX_ADDR%/*}
 
 # Check the VM can reach the metadata server
 ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} curl --verbose --connect-timeout 5 169.254.169.254
diff --git a/tools/scripts/tls/cert-manager.sh b/tools/scripts/tls/cert-manager.sh
index 5e6e709c9e..75646f1bd5 100755
--- a/tools/scripts/tls/cert-manager.sh
+++ b/tools/scripts/tls/cert-manager.sh
@@ -2,7 +2,7 @@
 
 set -eux
 
-: ${CERT_MANAGER_VERSION:="v1.2.0"}
+: ${CERT_MANAGER_VERSION:="v1.8.0"}
 
 cert_path="/etc/openstack-helm"
 ca_cert_root="$cert_path/certs/ca"