On May 8, 2026, Let’s Encrypt—the world’s largest free Certificate Authority (CA)—briefly suspended all certificate issuance for approximately two and a half hours. The outage was triggered by a technical failure in a cross-signed certificate intended to bridge the organization’s legacy Generation X root with its newly deployed Generation Y infrastructure.
The incident caused a full shutdown of both production and staging ACME API endpoints at 18:37 UTC, as engineers worked to prevent the distribution of incorrectly chained certificates.
The Root of the Issue: Gen X to Gen Y
Let’s Encrypt has been gradually transitioning to its “Generation Y” hierarchy (including roots YE and YR) to modernize security and meet upcoming CA/Browser Forum requirements. To maintain compatibility with older devices that don’t yet trust the new roots, Let’s Encrypt uses cross-signatures from its existing ISRG Root X1 and X2.
What went wrong:
A critical error in the cross-signing logic between these two generations was detected. To protect the integrity of the trust store, Let’s Encrypt executed an immediate rollback. By 21:03 UTC, issuance resumed, but with one major caveat: all certificates were switched back to issuing exclusively from the Generation X root.
Impacted Profiles:
- tlsserver: The opt-in profile for early adopters.
- shortlived: The profile for ultra-short validity certificates (6 days).
Timing and the “Roadmap to 45 Days”
This incident comes at a high-pressure moment for the CA. Let’s Encrypt is currently five days away from a major platform update scheduled for May 13, 2026. This update includes:
- 45-Day Certificate Lifetimes: The
tlsserverprofile will begin issuing 45-day certificates, moving away from the standard 90-day window. This is part of a two-year industry roadmap to increase security through shorter rotation. - The “Classic” Profile Shift: The default ACME profile (used by most Certbot users) is still scheduled to transition to Generation Y intermediates on May 13.
- Client Authentication Sunset: The
tlsclientprofile will become restricted, with full support ending on July 8, 2026.
Despite the May 8 hiccup, Let’s Encrypt officials state that these changes remain on track for the May 13 rollout, provided the root issue is fully resolved in the staging environment.
What Administrators Should Do
If your servers were scheduled to renew certificates on May 8, you may have experienced temporary failures or “Rate Limit” errors as retries flooded the API after it came back online.
- Verify Your Chain: Check your latest issued certificates using
openssl s_client -connect yourdomain.com:443 -showcerts. Ensure they chain to the ISRG Root X1/X2 as expected during this rollback period. - Monitor Renewal Logs: Ensure your ACME client (Certbot, acme.sh, etc.) successfully completed its task once the API was restored.
- Check for ARI Support: Let’s Encrypt recommends using clients that support ACME Renewal Information (ARI), which allows the CA to signal your server when it is the optimal time to renew, especially during incident recovery.
