On May 8, 2026, Let’s Encrypt, a leading certificate authority, temporarily suspended all certificate issuance due to a critical issue involving a cross-signed certificate linking its Generation X root to the forthcoming Generation Y root infrastructure. This incident led to a complete halt in both production and staging environments, with services restored within hours.
At 18:37 UTC, Let’s Encrypt engineers detected the problem and promptly ceased all certificate issuance as a precaution. The affected components included the production and staging ACME API endpoints (`acme-v02.api.letsencrypt.org` and `acme-staging-v02.api.letsencrypt.org`), as well as the production and staging portal environments hosted across two high-assurance data centers. By 21:03 UTC, approximately two and a half hours later, issuance resumed. However, due to the cross-signed certificate issue, all certificate generation was reverted to the Generation X root. This rollback specifically impacted two ACME certificate profiles: `tlsserver` and `shortlived`.
The timing of this incident is notable, as Let’s Encrypt had previously announced three significant platform changes scheduled for May 13, 2026:
1. Transition to 45-Day Certificates: The `tlsserver` ACME profile was set to begin issuing certificates with a 45-day validity period, aligning with Let’s Encrypt’s phased plan to reduce certificate lifetimes from 90 days to 45 days over the next two years. ([cybersecuritynews.com](https://cybersecuritynews.com/lets-encrypt-45-days-certificate/amp/?utm_source=openai))
2. Restriction of `tlsclient` Profile: The `tlsclient` profile, used for TLS client authentication certificates, was to be restricted exclusively to ACME accounts that had previously requested certificates from that profile. Full support for `tlsclient` certificates is scheduled to end on July 8, 2026. ([cybersecuritynews.com](https://cybersecuritynews.com/lets-encrypt-unveils-new-generation-y-root/?utm_source=openai))
3. Transition to Generation Y Intermediates: The `classic` ACME profile was slated to transition to Generation Y intermediates, which chain to the existing X1 and X2 roots—a change designed to maintain broad compatibility across client environments. ([cybersecuritynews.com](https://cybersecuritynews.com/lets-encrypt-unveils-new-generation-y-root/?utm_source=openai))
All three changes are currently live in Let’s Encrypt’s staging environment and remain on track for the May 13 production rollout, pending resolution of the root certificate issue.
Let’s Encrypt has not disclosed whether any incorrectly issued certificates were distributed before issuance was halted. Administrators relying on automated ACME-based renewal workflows, particularly those using the `tlsserver` or `shortlived` profiles, should monitor renewal logs closely and verify that certificates issued around the May 8 window chain correctly to the expected root. Updates and community support are available at `community.letsencrypt.org`.
This incident underscores the complexities involved in managing certificate authorities and the critical importance of robust infrastructure to maintain trust and security on the internet.
Twitter Post: Let’s Encrypt temporarily halts certificate issuance due to cross-signed root certificate issue. Services restored; admins advised to verify recent certificates. #LetsEncrypt #CyberSecurity
Focus Key Phrase: Let’s Encrypt certificate issuance suspension
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
