Overview On May 8, 2026, Let’s Encrypt temporarily suspended all certificate issuance after engineers identified a critical issue involving a cross‑signed certificate linking the Generation X root to the upcoming Generation Y root infrastructure. Issuance was halted across both production and staging environments before being restored within hours.
Timeline of Events
- 18:37 UTC: Engineers detected a potential incident and halted issuance.
- Affected Components:
- Production & staging ACME API endpoints (
acme-v02.api.letsencrypt.org,acme-staging-v02.api.letsencrypt.org). - Production & staging portal environments across two datacenters.
- Production & staging ACME API endpoints (
- 21:03 UTC: Issuance resumed after ~2.5 hours.
- Rollback: All certificate generation reverted to Generation X root, impacting tlsserver and shortlived ACME profiles.
Impact
- Profiles Affected:
- tlsserver → rolled back to Generation X root.
- shortlived → similarly impacted.
- Uncertainty: No disclosure yet on whether incorrectly issued certificates were distributed before the halt.
- Admin Guidance: Verify renewal logs and confirm certificates issued around May 8 chain correctly to the expected root.
Upcoming Platform Changes (May 13, 2026)
- tlsserver profile → 45‑day certificates (phased reduction from 90 days).
- tlsclient profile → restricted to prior requesters; full support ends July 8, 2026.
- classic ACME profile → transition to Generation Y intermediates, chaining to X1/X2 roots for compatibility.
All changes remain on track pending resolution of the root certificate issue.
Final Thought
This incident underscores the complexity of root transitions in PKI ecosystems. Even a cross‑signing misstep can halt issuance globally, affecting automated renewal workflows. For administrators, the lesson is clear: monitor ACME logs closely during root transitions and validate certificate chains proactively.
Leave a Reply