Let's Encrypt Certificate Issuance Halted Due to Generation Y Root Cross-Signature Issue
On May 8, 2026, Let's Encrypt temporarily halted all certificate issuance due to a potential incident involving Generation Y root cross-signature issues.
Let’s Encrypt Temporarily Suspends Certificate Issuance
On May 8, 2026 (May 9, Japan time), Let’s Encrypt, one of the world’s largest certificate authorities (CA), temporarily halted the issuance of all certificates upon detecting a potential incident. Although certificate issuance resumed by 21:03 UTC on the same day, issues related to the migration to a new root certificate disrupted their original transition plan.
Incident Details
According to Let’s Encrypt’s status page, the potential incident was detected at 18:37 UTC on the same day, prompting the organization to take precautionary measures and suspend all issuance activities. The root cause was identified as a problem with the cross-signature certificates used for transitioning from the existing Generation X root to the new Generation Y root.
Cross-signatures are a mechanism that establishes trust chains between different root certificates. They are commonly used to ensure compatibility with more clients while a new root certificate is gaining widespread trust by receiving signatures from existing roots.
Impacted Profiles
Due to this incident, issuance for two ACME certificate profiles, “tlsserver” and “shortlived,” was reverted to the Generation X root certificate. Operators of websites that use the Automatic Certificate Management Environment (ACME) protocol for automatic certificate renewal may have been temporarily affected by this measure.
Let’s Encrypt plays a critical role in providing free SSL/TLS certificates for a significant portion of websites worldwide. Although the suspension lasted only a few hours, it may have impacted numerous sites that rely on automatic certificate renewal during this period.
Measures Taken After Resumption
Following the resumption of certificate issuance, Let’s Encrypt decided to temporarily halt the transition to the Generation Y root and continue issuing certificates under the Generation X root to prioritize stability. The organization plans to revisit the migration once the issues with the cross-signature certificates are resolved.
Let’s Encrypt’s services are community-supported, and updates on this situation can be monitored through the organization’s community forum.
Frequently Asked Questions
- How many websites using Let's Encrypt certificates were affected?
- The exact scope of the impact has not been disclosed. The suspension lasted for approximately two and a half hours, potentially affecting websites undergoing certificate renewal during this window. Certificates already issued were not invalidated, so regular website access remained unaffected.
- What will happen with the migration to the Generation Y root?
- Let's Encrypt plans to address the cross-signature certificate issue before proceeding with the migration. However, the timeline for resuming the transition has not been announced.
Comments