Let\u2019s Encrypt Halts Certificate Issuance After Cross-Signed Root Certificate Incident
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Let\u2019s Encrypt temporarily suspended all certificate issuance on May 8, 2026, after engineers identified a critical issue involving a cross-signed certificate linking the organization\u2019s Generation X root to its upcoming Generation Y root infrastructure<\/a>.<\/p>\n The incident triggered a complete shutdown of issuance across both production and staging environments before services were restored within hours.<\/p>\n At 18:37 UTC on May 8, Let\u2019s Encrypt engineers became aware of a potential incident and immediately halted all certificate issuance as a precautionary measure.<\/p>\n The affected components included the production and staging ACME API endpoints ( By 21:03 UTC, roughly two and a half hours later, the organization confirmed that issuance had resumed. However, as a direct result of the cross-signed certificate issue<\/a>, all certificate generation was rolled back to the Generation X root.<\/p>\n This rollback specifically impacts two ACME certificate profiles: The timing of the incident is notable given that Let\u2019s Encrypt had already announced<\/a> three significant platform changes scheduled to go live on May 13, 2026, just five days away. Those changes include:<\/p>\n The The The All three changes are currently live in Let\u2019s Encrypt\u2019s staging environment and remain on track for the May 13 production rollout, pending resolution of the root certificate issue.<\/p>\n Let\u2019s Encrypt has not disclosed details about whether any incorrectly issued certificates were distributed before issuance was halted.<\/p>\n Administrators relying on automated ACME-based renewal workflows, particularly those using the Cybercriminals now enter through your suppliers instead of your front door \u2013 Free Webinar<\/a><\/strong><\/p>\n The post Let\u2019s Encrypt Halts Certificate Issuance After Cross-Signed Root Certificate Incident<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nacme-v02.api.letsencrypt.org<\/code> and acme-staging-v02.api.letsencrypt.org<\/code>), as well as the production and staging portal environments hosted across two high-assurance datacenters.<\/p>\ntlsserver<\/code> and shortlived<\/code>.<\/p>\ntlsserver<\/code> ACME profile will begin issuing 45-day certificates as part of Let\u2019s Encrypt\u2019s phased roadmap to reduce certificate lifetimes from 90 days down to 45 days over the next two years.<\/p>\ntlsclient<\/code> profile, used for TLS client authentication certificates, will be restricted exclusively to ACME accounts that have previously requested certificates from that profile. Full support for tlsclient<\/code> certificates will end on July 8, 2026.<\/p>\nclassic<\/code> ACME profile was also scheduled<\/a> to transition to Generation Y intermediates, which chain to the existing X1 and X2 roots a change designed to maintain broad compatibility across client environments.<\/p>\ntlsserver<\/code> or shortlived<\/code> profiles should monitor renewal logs closely and verify that certificates issued around the May 8 window chain correctly to the expected root. Updates and community support remain available at community.letsencrypt.org<\/code>.<\/p>\n