On May 8, 2026, Let’s Encrypt, the widely used non-profit certificate authority, took the drastic step of temporarily suspending all certificate issuance. The move came after engineers discovered a critical issue involving a cross-signed certificate that linked the organization’s current Generation X root to its upcoming Generation Y root infrastructure. This preventive measure resulted in a complete shutdown of services across both production and staging environments for several hours.
Restoring Stability through Rollback
To ensure the integrity of the ecosystem, Let’s Encrypt rolled back all certificate generation to the Generation X root. This specific action has direct implications for two ACME certificate profiles: tlsserver and shortlived. While the organization acted quickly to minimize downtime, the rollback serves as a temporary fix while engineers address the underlying cross-signed certificate issue.
Administrators who manage automated ACME-based renewals are encouraged to check their logs. Specifically, those utilizing the tlsserver or shortlived profiles should verify that any certificates issued around the May 8 window are correctly chained to the expected root. At this time, Let’s Encrypt has not confirmed whether any misissued certificates reached the public before the shutdown took effect.
Upcoming Changes to Certificate Lifetimes
The timing of this infrastructure incident is particularly sensitive as Let’s Encrypt prepares for a major platform update scheduled for May 13, 2026. Despite the recent root incident, the organization remains on track to implement three significant changes:
The tlsserver ACME profile will transition to 45-day certificates. This is part of a broader strategy to reduce standard certificate lifespans from 90 days to 45 days over the next two years.
Access to the tlsclient profile will be restricted to accounts with a history of requesting those specific certificates, with full support for these certificates set to end on July 8, 2026.
The classic ACME profile will migrate to Generation Y intermediates. These will chain to existing X1 and X2 roots to maintain compatibility across various client environments.
While these updates are already active in the staging environment, the security community will be watching closely to see if the recent root certificate complications impact the production rollout. Let’s Encrypt continues to provide updates through its community support portal for concerned administrators and developers.
Licensed under CC BY-ND 4.0 International
OpenAI’s GPT-5.4-Cyber: a practical boost for defenders — and a new risk calculus
OpenAI has introduced GPT-5.4-Cyber, a purpose-built variant of GPT-5.4 tuned to assist…
OpenAI Debuts Shared Workspace Agents to Automate Team Handoffs
OpenAI has introduced a new class of ChatGPT tools called shared workspace…
Critical Microsoft 365 Copilot Flaws: What Organizations Need to Know
Microsoft has disclosed and silently remediated three critical information-disclosure vulnerabilities in Microsoft…
How Mozilla Used Mythos to Find 271 Firefox Vulnerabilities — and What It Means
Mozilla says it used Anthropic’s Mythos model, together with a custom agent…