Chain of Distrust: Let’s Encrypt Halts Issuance After Critical Root Certificate Anomaly
Do Son 
Let’s Encrypt suspended the issuance of all TLS certificates for several hours due to a technical anomaly within its trust infrastructure. For a service that facilitates the daily automated issuance and renewal of certificates for millions of domains, such an interruption constitutes a rare and conspicuous failure, even if core operations were reinstated by the evening of May 8.
Engineers at Let’s Encrypt identified a potential incident on May 8 at 18:37 UTC, promptly halting all certificate issuance. This suspension affected both production and staging ACME API endpoints, including acme-v02.api.letsencrypt.org and acme-staging-v02.api.letsencrypt.org, as well as portal environments across two secure data centers. After a duration of two and a half hours, at 21:03 UTC, the organization announced the resumption of its services.
The root cause was traced to an issue involving a cross-signed certificate intended to bridge the existing Generation X root certificate with the forthcoming Generation Y infrastructure. Following the restoration, Let’s Encrypt reverted all new certificate issuances to the Generation X root. This rollback impacted two specific ACME profiles: tlsserver and shortlived.
This incident manifested at an inopportune juncture, as Let’s Encrypt is slated to implement several significant platform revisions on May 13. The tlsserver profile is scheduled to begin issuing 45-day certificates as part of a broader two-year transition from the traditional 90-day validity period. Furthermore, the tlsclient profile, utilized for TLS client authentication, will be restricted to ACME accounts with a prior history of such requests; comprehensive support for tlsclient is expected to conclude on July 8, 2026.
Another impending modification involves the classic ACME profile, which Let’s Encrypt intends to transition to Generation Y intermediate certificates. These intermediates are designed to establish a chain of trust to the established X1 and X2 roots, ensuring compatibility across diverse client environments while incrementally preparing the infrastructure for a new root chain.
According to the organization, all three aforementioned changes are currently operational within the staging environment and remain scheduled for production deployment on May 13. The final determination regarding this launch rests upon the definitive resolution of the root certificate complications.
Let’s Encrypt has not disclosed whether any erroneously issued certificates reached users prior to the suspension. Administrators who rely on automated ACME renewals—particularly those utilizing the tlsserver and shortlived profiles—are advised to scrutinize their renewal logs from May 8 to ensure their certificates adhere to the anticipated root chain. Comprehensive details and updates regarding this incident are available at here.
Donate