Let’s Encrypt Halts Issuance Over Expired Root Certificate Bug
Key Takeaways Let’s Encrypt temporarily suspended all certificate issuance on May 8, 2026, due to an issue with an expired root certificate. The problem stemmed from a cross-signed certificate...
Key Takeaways
- Let’s Encrypt temporarily suspended all certificate issuance on May 8, 2026, due to an issue with an expired root certificate.
- The problem stemmed from a cross-signed certificate linking the organization’s current Generation X root to its forthcoming Generation Y infrastructure.
- Issuance was halted across production and staging environments, affecting ACME API endpoints and portal services.
- Services resumed within hours, but all new certificate generation was rolled back to the Generation X root, specifically impacting the
tlsserverandshortlivedACME profiles. - The incident occurred just five days before several major platform updates, including a shift to 45-day certificate lifetimes for
tlsserverprofiles.
Let’s Encrypt Halts Certificate Issuance Over Expired Root Certificate Flaw
Let’s Encrypt, a leading certificate authority, briefly ceased all certificate issuance on May 8, 2026, after engineers identified a critical problem involving an expired root certificate. The disruption arose from a cross-signed certificate intended to bridge the organization’s existing Generation X root with its planned Generation Y infrastructure, leading to a temporary shutdown of certificate services.
Table Of Content
Incident Response and Service Restoration
The incident began at 18:37 UTC on May 8 when Let’s Encrypt engineers detected a potential issue. As a precautionary measure, all certificate issuance was immediately suspended. This halt affected both production and staging ACME API endpoints, specifically acme-v02.api.letsencrypt.org and acme-staging-v02.api.letsencrypt.org, alongside associated portal environments hosted across two high-assurance data centers.
Within approximately two and a half hours, by 21:03 UTC, Let’s Encrypt confirmed that certificate issuance had resumed. However, as a direct consequence of the cross-signed certificate issue, all new certificate generation was reverted to the Generation X root. This rollback specifically impacts certificates issued under the tlsserver and shortlived ACME profiles.
Impact on Upcoming Platform Changes
The timing of this incident is particularly noteworthy, as Let’s Encrypt had previously announced a series of significant platform updates scheduled for May 13, 2026—just five days after the service interruption. These planned changes include:
- The
tlsserverACME profile was set to begin issuing 45-day certificates, a step in Let’s Encrypt’s two-year roadmap to halve certificate lifetimes from 90 to 45 days. - The
tlsclientprofile, used for TLS client authentication certificates, was slated for restriction to ACME accounts that had previously requested certificates from that profile. Full support fortlsclientcertificates is scheduled to end on July 8, 2026. - The
classicACME profile was also scheduled to transition to Generation Y intermediates, which chain to the existing X1 and X2 roots, aiming to maintain broad client compatibility.
Despite the recent root certificate issue, all three forthcoming changes are currently live in Let’s Encrypt’s staging environment and remain on track for their May 13 production rollout, pending a complete resolution of the underlying root certificate problem. Let’s Encrypt has not yet disclosed whether any improperly issued certificates were distributed during the brief window before issuance was halted.
What You Should Do
- Administrators utilizing automated ACME-based renewal workflows, especially those relying on the
tlsserverorshortlivedprofiles, should meticulously review their renewal logs. - Verify that any certificates issued around the May 8, 2026, incident window correctly chain to the expected Generation X root.
- Stay informed by monitoring updates and community support available at
community.letsencrypt.orgfor further guidance and announcements.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.