Components
acme-v02.api.letsencrypt.org (Production), acme-staging-v02.api.letsencrypt.org (Staging), portal.letsencrypt.org (Production), portal-staging.letsencrypt.org (Staging)
Locations
High Assurance Datacenter 1, High Assurance Datacenter 2
May 13, 2026 20:32 UTC
RESOLVED
We have identified that our cross-certified subordinate CAs are missing Extended Key Usage (EKU) fields which are now required. We are revoking and reissuing our cross-signs of X2/YR by X1, and YE by X2. This will not affect most Let’s Encrypt subscribers. We will not be revoking the end-entity certificates, as they are still compliant. However, any certificates issued from our roots YE and YR may not chain successfully to our previous roots X1 and X2 without an updated cross-signed intermediate in their chain. If you have a certificate issued by the “tlsserver” or “shortlived” ACME profiles, we recommend renewing them. Our ACME Renewal Information API is signalling affected certificates to renew now.
May 8, 2026 21:03 UTC
MONITORING
Let's Encrypt has resumed issuance. Due to an issue with the cross-signed certificate from our Generation X root to our new Generation Y root, all issuance has been switched back to our Generation X root certificate. This affects our "tlsserver" and "shortlived" ACME certificate profiles.
May 8, 2026 18:37 UTC
INVESTIGATING
We have been made aware of a potential incident and are shutting down all issuance.