Critical error in the trust chain forced the service to urgently disable the issuance and roll back to the root of Generation X.
Let’s Encrypt stopped the release of all TLS certificates for several hours due to an error in the trust infrastructure. For a service that automatically issues and renews certificates for millions of sites every day, such a pause looks like a rare and noticeable accident, even if the main work has recovered on the evening of May 8.
Engineers Let’s Encrypt noticed a possible incident on May 8 at 18:37 UTC and immediately froze the issuance of certificates. The stop has affected ACME API’s work and test points, including acme-v02.api.senecrypt.org and acme-staging-v02.api.letsencrypt.org, as well as portal environments in two secure data centers. Two and a half hours later, at 21:03 UTC, the organization announced the resumption of release.
The reason was the problem with the cross-signed certificate, which connected the current root certificate Generation X with the future infrastructure of Generation Y. After the restoration, Let’s Encrypt rolled back the release of all the new certificates back to the core of Generation X. The rollback affected two ACME, tlsserver and shortlifold profiles.
The incident happened at an inconvenient moment. On May 13, Let’s Encrypt plans to launch several major platform changes. The trssserver profile should start issuing 45-day certificates as part of the transition from the 90-day period to 45-day for the next two years. The trsclicient profile, which is used for TLS-client authentication certificates, will be limited only to those ACME accounts that have already requested such certificates before. Full support for tlscliient Let's Encrypt is set to end on July 8, 2026.я
Another planned change concerns the classic ACME profile. Let''s Encrypt must transfer it to Generation Y intermediate certificates, which line the trust chain to the existing X1 and X2 roots. Such a transition is needed to keep it compatible with different client environments and gradually prepare the infrastructure for a new root chain.
According to the organization, all three changes are already working in the test environment and still remain in the plan for launching in the working environment on May 13. The final solution depends on how Let’s Encrypt closes the root certificate problem.
Let’s Encrypt did not say whether any incorrectly issued certificates have been obtained to reach users before the release stop. Administrators who rely on automatic renewal through ACME, especially when using plsserver and short-liveld profiles, it’s best to check the May 8 update logs and make sure the certificates build a chain of trust in the expected root certificate. Incident discussion and updates are available on community.letsencrypt.org.
Let’s Encrypt stopped the release of all TLS certificates for several hours due to an error in the trust infrastructure. For a service that automatically issues and renews certificates for millions of sites every day, such a pause looks like a rare and noticeable accident, even if the main work has recovered on the evening of May 8.
Engineers Let’s Encrypt noticed a possible incident on May 8 at 18:37 UTC and immediately froze the issuance of certificates. The stop has affected ACME API’s work and test points, including acme-v02.api.senecrypt.org and acme-staging-v02.api.letsencrypt.org, as well as portal environments in two secure data centers. Two and a half hours later, at 21:03 UTC, the organization announced the resumption of release.
The reason was the problem with the cross-signed certificate, which connected the current root certificate Generation X with the future infrastructure of Generation Y. After the restoration, Let’s Encrypt rolled back the release of all the new certificates back to the core of Generation X. The rollback affected two ACME, tlsserver and shortlifold profiles.
The incident happened at an inconvenient moment. On May 13, Let’s Encrypt plans to launch several major platform changes. The trssserver profile should start issuing 45-day certificates as part of the transition from the 90-day period to 45-day for the next two years. The trsclicient profile, which is used for TLS-client authentication certificates, will be limited only to those ACME accounts that have already requested such certificates before. Full support for tlscliient Let's Encrypt is set to end on July 8, 2026.я
Another planned change concerns the classic ACME profile. Let''s Encrypt must transfer it to Generation Y intermediate certificates, which line the trust chain to the existing X1 and X2 roots. Such a transition is needed to keep it compatible with different client environments and gradually prepare the infrastructure for a new root chain.
According to the organization, all three changes are already working in the test environment and still remain in the plan for launching in the working environment on May 13. The final solution depends on how Let’s Encrypt closes the root certificate problem.
Let’s Encrypt did not say whether any incorrectly issued certificates have been obtained to reach users before the release stop. Administrators who rely on automatic renewal through ACME, especially when using plsserver and short-liveld profiles, it’s best to check the May 8 update logs and make sure the certificates build a chain of trust in the expected root certificate. Incident discussion and updates are available on community.letsencrypt.org.
