CyberSecurity News

Let’s Encrypt Halts Certificate Issuance Due to Let’s After

Let’s Encrypt temporarily suspended all certificate issuance on May 8, 2026. This action followed engineers’ identification of a critical issue involving a cross-signed certificate linking the...

Marcus Rodriguez
Marcus Rodriguez
May 9, 2026 2 Min Read
1 0

Let’s Encrypt temporarily suspended all certificate issuance on May 8, 2026. This action followed engineers’ identification of a critical issue involving a cross-signed certificate linking the organization’s Generation X root to its upcoming Generation Y root infrastructure.

The incident triggered a complete shutdown of issuance across both production and staging environments before services were restored within hours.

At 18:37 UTC on May 8, Let’s Encrypt engineers became aware of a potential incident and immediately halted all certificate issuance as a precautionary measure.

The affected components included the production and staging ACME API endpoints (acme-v02.api.letsencrypt.org and acme-staging-v02.api.letsencrypt.org), as well as the production and staging portal environments hosted across two high-assurance datacenters.

By 21:03 UTC, roughly two and a half hours later, the organization confirmed that issuance had resumed. However, as a direct result of the cross-signed certificate issue, all certificate generation was rolled back to the Generation X root.

This rollback specifically impacts two ACME certificate profiles: tlsserver and shortlived.

The timing of the incident is notable given that Let’s Encrypt had already announced three significant platform changes scheduled to go live on May 13, 2026, just five days away. Those changes include:

The tlsserver ACME profile will begin issuing 45-day certificates as part of Let’s Encrypt’s phased roadmap to reduce certificate lifetimes from 90 days down to 45 days over the next two years.

The tlsclient profile, used for TLS client authentication certificates, will be restricted exclusively to ACME accounts that have previously requested certificates from that profile. Full support for tlsclient certificates will end on July 8, 2026.

The classic ACME profile was also scheduled to transition to Generation Y intermediates, which chain to the existing X1 and X2 roots a change designed to maintain broad compatibility across client environments.

All three changes are currently live in Let’s Encrypt’s staging environment and remain on track for the May 13 production rollout, pending resolution of the root certificate issue.

Let’s Encrypt has not disclosed details about whether any incorrectly issued certificates were distributed before issuance was halted.

Administrators relying on automated ACME-based renewal workflows, particularly those using the tlsserver or shortlived profiles should monitor renewal logs closely and verify that certificates issued around the May 8 window chain correctly to the expected root. Updates and community support remain available at community.letsencrypt.org.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts