On May 8, 2026, Let’s Encrypt temporarily halted its certificate issuance due to a significant issue involving a cross-signed certificate. This problem linked the organization’s current Generation X root certificate to its future Generation Y infrastructure and prompted an immediate response from engineers.
Immediate Response to the Issue
Following the detection of the issue at 18:37 UTC, Let’s Encrypt engineers took swift action by suspending all certificate issuance. This precaution affected both the production and staging environments, which were hosted across two high-assurance data centers. Services were restored shortly within a few hours.
By 21:03 UTC, the organization confirmed that certificate issuance had resumed. However, the cross-signed certificate incident necessitated a rollback to the Generation X root, impacting specific ACME certificate profiles, notably tlsserver and shortlived.
Impact on Scheduled Platform Changes
The timing of this incident was critical as it occurred just days before three major platform updates scheduled for May 13, 2026. One significant change involved the tlsserver ACME profile, which will start issuing 45-day certificates. This is part of a phased plan to reduce certificate lifespans from 90 to 45 days over two years.
Additionally, the tlsclient profile, used for TLS client authentication, will be limited to ACME accounts that have previously requested certificates from it. Full support for these tlsclient certificates will end on July 8, 2026. Another anticipated change involves transitioning the classic ACME profile to Generation Y intermediates, ensuring compatibility.
Monitoring and Future Outlook
Let’s Encrypt has not specified if any incorrectly issued certificates were released before the suspension. Administrators using automated ACME renewal workflows, especially those with tlsserver or shortlived profiles, should carefully check renewal logs to ensure proper certificate chaining to the expected root.
Despite the temporary halt, the planned platform changes remain on schedule for their May 13 rollout. Administrators and users can continue to access updates and community support through the Let’s Encrypt forum. This incident underscores the importance of vigilance in certificate management to mitigate potential security risks.
