On May 8, 2026, Let’s Encrypt, the widely used non-profit certificate authority, took the drastic step of temporarily suspending all certificate issuance. The move came after engineers discovered a critical issue involving a cross-signed certificate that linked the organization’s current Generation X root to its upcoming Generation Y root infrastructure. This preventive measure resulted in a complete shutdown of services across both production and staging environments for several hours.
Restoring Stability through Rollback
To ensure the integrity of the ecosystem, Let’s Encrypt rolled back all certificate generation to the Generation X root. This specific action has direct implications for two ACME certificate profiles: tlsserver and shortlived. While the organization acted quickly to minimize downtime, the rollback serves as a temporary fix while engineers address the underlying cross-signed certificate issue.
Administrators who manage automated ACME-based renewals are encouraged to check their logs. Specifically, those utilizing the tlsserver or shortlived profiles should verify that any certificates issued around the May 8 window are correctly chained to the expected root. At this time, Let’s Encrypt has not confirmed whether any misissued certificates reached the public before the shutdown took effect.
Upcoming Changes to Certificate Lifetimes
The timing of this infrastructure incident is particularly sensitive as Let’s Encrypt prepares for a major platform update scheduled for May 13, 2026. Despite the recent root incident, the organization remains on track to implement three significant changes:
The tlsserver ACME profile will transition to 45-day certificates. This is part of a broader strategy to reduce standard certificate lifespans from 90 days to 45 days over the next two years.
Access to the tlsclient profile will be restricted to accounts with a history of requesting those specific certificates, with full support for these certificates set to end on July 8, 2026.
The classic ACME profile will migrate to Generation Y intermediates. These will chain to existing X1 and X2 roots to maintain compatibility across various client environments.
While these updates are already active in the staging environment, the security community will be watching closely to see if the recent root certificate complications impact the production rollout. Let’s Encrypt continues to provide updates through its community support portal for concerned administrators and developers.
Licensed under CC BY-ND 4.0 International
OpenAI Debuts Shared Workspace Agents to Automate Team Handoffs
OpenAI has introduced a new class of ChatGPT tools called shared workspace…
Project Glasswing and Mythos Preview: What 10,000+ AI-Found Vulnerabilities Mean for Software Security
In the weeks since Anthropic unveiled Project Glasswing and the Mythos Preview…
cPanel compromise: CVE-2026-41940 and the Filemanager backdoor
A critical cPanel/WebHost Manager flaw tracked as CVE-2026-41940 is being actively exploited…
Hackers Used AI to Build First Known Zero-Day 2FA Bypass, Google Warns
Google's threat hunters have flagged a troubling milestone: the first known instance…