Let’s Encrypt Restores Certificate Issuance After Cross-Signed Root Incident
6 min. read 
Published on
Let’s Encrypt temporarily stopped certificate issuance on May 8, 2026, after discovering a problem with a cross-signed certificate connected to its new Generation Y root hierarchy. The outage affected new certificate issuance, not already issued certificates.
The incident began at 18:37 UTC, when Let’s Encrypt said it had been made aware of a potential incident and was shutting down all issuance. Service resumed at 21:03 UTC, after the organization switched issuance back to its Generation X root certificate.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The rollback affects the tlsserver and shortlived ACME certificate profiles. Let’s Encrypt also said the planned switch to Generation Y intermediates announced for May 13 would be delayed.
What happened
Let’s Encrypt’s status page listed the affected components as the production and staging ACME API endpoints, along with the production and staging portal environments. The impacted services included acme-v02.api.letsencrypt.org and acme-staging-v02.api.letsencrypt.org.
The organization later explained that the issue involved a cross-signed certificate from its Generation X root to its new Generation Y root. After restoring service, Let’s Encrypt moved all issuance back to the older Generation X root.
A separate community incident post says the Gen Y cross-certified subordinate CAs were issued without the serverAuth extended key usage required by CCADB policy for cross-signed intermediate certificates issued since June 15, 2025.
At a glance
| Item | Details |
|---|---|
| Incident date | May 8, 2026 |
| Issuance stopped | 18:37 UTC |
| Issuance resumed | 21:03 UTC |
| Main issue | Cross-signed certificate problem between Generation X and Generation Y roots |
| Temporary fix | Issuance switched back to the Generation X root |
| Affected profiles | tlsserver and shortlived |
| May 13 Gen Y switch | Delayed, according to Let’s Encrypt |
Why Let’s Encrypt stopped issuance
Certificate authorities must follow strict browser and root program rules. When Let’s Encrypt found a possible compliance issue in its certificate chain, it stopped issuance while engineers investigated and changed configuration.
The issue centered on cross-signing. Cross-signing helps newer certificate hierarchies work with systems that already trust older roots. In this case, the link between the existing Generation X root and the newer Generation Y hierarchy became the problem.
Let’s Encrypt said certificate revocation and CRL generation remained functional for Generation Y certificates. The public status update focused on stopping new issuance, not a failure of existing certificates already installed on websites.
What the rollback means
After service resumed, Let’s Encrypt said all issuance had been switched back to the Generation X root certificate. That means new certificates from affected profiles no longer used the cross-signed Generation Y path while the issue remained under review.
Most website operators should see renewals work normally again after the restoration. However, administrators who test or pin certificate chains should verify which root and intermediate chain their systems now receive.
The rollback matters most for organizations using tlsserver or shortlived profiles. These profiles had already been tied to the newer Generation Y hierarchy before the incident.
May 13 changes are partly affected
Before the incident, Let’s Encrypt had announced three certificate profile changes planned for May 13, 2026. The tlsserver profile was set to start issuing 45-day certificates, while tlsclient access was set to become limited to accounts that had already used that profile.
The classic ACME profile was also scheduled to move to new Generation Y intermediates that chain to Let’s Encrypt’s existing X1 and X2 roots. After the May 8 incident, Let’s Encrypt said the Generation Y intermediary switch would be delayed.
Let’s Encrypt’s longer-term certificate lifetime plan still aims to reduce certificate validity from 90 days to 45 days by 2028. The May 13 tlsserver change is an early opt-in step for users testing shorter certificate lifetimes.
Planned profile changes
| Profile | Planned change | Status after incident |
|---|---|---|
| tlsserver | Move to 45-day certificates for early adopters | Still listed in Let’s Encrypt’s timeline, but operators should watch updates |
| tlsclient | Limit use to accounts that previously requested this profile | Support remains scheduled to end on July 8, 2026 |
| classic | Switch to Generation Y intermediates | Delayed after the May 8 incident |
| shortlived | Uses short certificate lifetimes | Issuance switched back to Generation X during the rollback |
What administrators should check
Administrators should review ACME renewal logs from the May 8 outage window. Failed renewals during the incident should be retried after service restoration.
Teams using normal web server certificates should confirm that their automation still renews successfully. Teams using custom trust stores, pinned chains, shortlived certificates, or the tlsserver profile should also inspect the resulting certificate chain.
The incident also gives administrators another reason to test renewal automation before shorter certificate lifetimes become more common. Renewal jobs that run too rarely may become risky as Let’s Encrypt moves toward 45-day certificates.
Recommended actions
- Check ACME renewal logs for failures between 18:37 UTC and 21:03 UTC on May 8.
- Retry any failed certificate orders or renewals.
- Verify the certificate chain for tlsserver and shortlived profile certificates.
- Review systems that pin intermediates or root certificates.
- Monitor Let’s Encrypt community updates for the delayed Generation Y intermediary switch.
- Confirm ACME clients can handle 45-day certificates before using the tlsserver profile.
- Use certificate monitoring so teams receive alerts before expiry.
- Review tlsclient usage if any systems still depend on Let’s Encrypt for client authentication certificates.
Why this matters
Let’s Encrypt powers certificate automation for a large part of the web. Even a short issuance halt can affect hosting platforms, automated deployment pipelines, managed services, and administrators renewing certificates near expiry.
The outage lasted only a few hours, but it happened days before major certificate profile changes. That timing makes the incident important for teams preparing for shorter lifetimes, new intermediates, and the end of TLS client authentication certificate support.
For most site owners, the practical answer is simple. Check renewal logs, make sure automation works, and keep an eye on Let’s Encrypt’s updated rollout schedule.
Summary
- Let’s Encrypt stopped all certificate issuance on May 8, 2026, after a cross-signed root certificate issue.
- Issuance stopped at 18:37 UTC and resumed at 21:03 UTC.
- Let’s Encrypt switched issuance back to its Generation X root for affected profiles.
- The rollback affects the tlsserver and shortlived ACME profiles.
- The planned Generation Y intermediary switch announced for May 13 has been delayed.
FAQ
No. The incident affected certificate issuance. Existing certificates should continue working until their normal expiration date unless a separate local configuration problem exists.
Let’s Encrypt stopped issuance at 18:37 UTC and resumed it at 21:03 UTC on May 8, 2026. The interruption lasted about two and a half hours.
The issue involved a cross-signed certificate from Let’s Encrypt’s Generation X root to its new Generation Y root. Let’s Encrypt later said the Gen Y cross-certified subordinate CAs were missing the required serverAuth extended key usage.
Let’s Encrypt said the rollback affects the tlsserver and shortlived ACME certificate profiles.
The planned switch to Generation Y intermediates announced for May 13 has been delayed. Administrators should watch Let’s Encrypt’s community updates for a revised timeline.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages