Let’s Encrypt: Stopping Issuance for Potential Incident – Resolved

Let’s Encrypt: Stopping Issuance for Potential Incident – Resolved(letsencrypt.status.io)

144 points by rbaudibert 10 days ago | 91 comments

jaas 10 days ago |

This is a compliance incident, we should be issuing again shortly.

Update: Issuance is back up.

Update: Preliminary incident report:

https://bugzilla.mozilla.org/show_bug.cgi?id=2038351

theduderoger 10 days ago | |

can you update the status page with this information?

rbaudibert 10 days ago | |

Thanks for the assurance, jaas! Keep up the good work

gabeio 10 days ago | |

> This is a compliance incident

Uh. I don't know if I like the sound of that...

john_strinlai 10 days ago | | |

"compliance incident" is the catchall for everything from a spelling error on a CPS (certification practice statement) or being one second late on revocation, all the way up to to key compromise.

it is almost always closer to the spelling mistake side than it is the key compromise side of the spectrum.

a peak at https://bugzilla.mozilla.org/buglist.cgi?product=CA%20Progra... will show that most compliance issues, to the general public, are quite mundane.

walrus01 10 days ago | | |

Indeed. "Compliance" can mean some internal audit/monitoring system has tripped and requires in depth investigation and preservation of logging, or it can mean "federal law enforcement with badges are right now standing in our datacenter and/or NOC serving a court order".

washingupliquid 10 days ago | |

Real soon now?

mark_round 10 days ago |

That's really not good. Fortunately I'm not using any short-lived certificates like the recently announced 6 day certs, so have some breathing room. Without further details, I'd imagine anyone with a short-lived cert is getting a bit sweaty right now.

Let's Encrypt has become one of those pieces of critical Internet infrastructure that just quietly hums away in the background, the fact that they've stopped ALL issuance is deeply concerning.

jaas 10 days ago | |

Stopping all issuance is an pretty standard response if a CA thinks what they are issuing might be non-compliant in any way. It's an action we're required to take. It's not necessarily a sign of a more dramatic failure mode or key compromise. That said, the impact is the same for as long as the downtime lasts so it is unfortunate and we're sorry for the disruption.

I don't think the premise behind short lived (six day) certificates being viable is that CA issuance never goes down. Sure, the runway is shorter, but not that short. Most down time is a few hours or less, which is not a problem for six day certificates that should be renewed every three days.

Short lived certificates are optional though, so if it's not worth it to you there are longer lifetime options.

Kwpolska 9 days ago | | |

> Short lived certificates are optional though, so if it's not worth it to you there are longer lifetime options.

Are they going to be optional forever, or do you plan to eventually get rid of the longer lifetime options?

walrus01 10 days ago | |

Considering the open source nature of Letsencrypt, I wonder what the barriers/costs would be (theoretically) to a wealthy benefactor who wanted to duplicate its server side infrastructure and a core staffing level of persons, and fund a "parallel" equally trusted, alternative entity with a solid governing board. Same general idea how Acton funded the Signal foundation.

Somewhere that none of the physical infrastructure/hosting environment overlapped with existing Letsencrypt stuff so that the failure of one entity would have zero blast radius affecting the other.

I know there's a long and complicated process to go through to become a trusted root CA and get your CA public cert auto-installed in every OS and browser trust store. Indeed in the early days of letsencrypt I recall their root CA certs were signed by other older root CAs.

dochtman 10 days ago | | |

A lot of Let’s Encrypt is not the software but a bunch of auditing and process that ensure compliance and make it legible to the required auditors.

computer23 10 days ago | | |

Google has their own free ACME endpoint: https://pki.goog/

jcims 10 days ago | |

I just find it incredible that in 30+ years the industry hasn't adapted one bit to the brittle failure modes of certificates. I did some subcontract work with Verisign to deploy their CA infrastructure back in the early oughties and it felt like a solution was overdue way back then. I was at Google in the teensies when gmail broke due to expired SMTP certs. WAAAY overdue by then. Here we are, a decade later and it's still the same lol.

yjftsjthsd-h 10 days ago | | |

Other than automating renewal - which we have made huge strides on - what adaption would you want to see?

packetlost 10 days ago | | |

I mean, what's the alternative? I struggle to come up with a solution that doesn't boil down to the same primitive operations and trust model.

Havoc 10 days ago | |

>pieces of critical Internet infrastructure that just quietly hums away in the background,

And donation supported no less

cachius 10 days ago | |

Wonder what incident that even could have been.

hulitu 6 days ago | | |

The NSA needed some certs to expire, so you can send plain text. Just to test it. They already have access to the CA, but, if it works easier, why not. /s

nottorp 10 days ago | |

> like the recently announced 6 day certs

Just you wait for the 1 hour and 59 minutes certs! For security!

mcherm 10 days ago |

There is one little-discussed down side to ever shorter-lived certificates...

dizhn 10 days ago | |

Letsencrypt is not the only acme authority. ZeroSSL is the other popular one. There are others.

pseudalopex 9 days ago | | |

ZeroSSL offered for free 3 single name certificates. The next plan was $180 yearly.

Actalis offered unlimited single name certificates. Why are ZeroSSL more popular?

Google offered unlimited certificates with multiple names and wild cards. But they required a GCP account seemingly. It would require to give Google personal information, a phone number, and automatic payment permission. And Google not disable your account because your spouse uploaded images for your child's doctor.

All others I saw charged for each certificate.

Analemma_ 10 days ago | |

Only if you’re reissuing right before expiration, which is a stupid thing to do. If you have a 47-day cert, best practice is to reissue on day 30, meaning LE would need to be down for more than two weeks before anything went wrong.

If this outage breaks your system, that’s entirely on you, not Let’s Encrypt.

eqvinox 10 days ago | | |

Short-lived = 6 days. Even if you reissue after 2 or 3 days, that's… not a lot of breathing room.

rconti 10 days ago | | |

You're holding your 6-day cert wrong

jameshart 10 days ago | | |

Useful context: https://letsencrypt.org/2026/01/15/6day-and-ip-general-avail...

gbear605 10 days ago | | |

Only as long as LE isn’t down for 17 days, then we’re in big trouble.

devrand 10 days ago | |

If you're using ACME to handle certificate rotation, can't you just configure multiple providers?

pseudalopex 9 days ago | | |

https://news.ycombinator.com/item?id=48071607

bravetraveler 10 days ago |

It's certainly an incident when ceasing to issue certificates... after doing absolutely everything, including limiting lifetime, to encourage their frequent renewal

kalmarv 10 days ago |

Hopefully it's just a technical issue and not something like a key compromise. This could have disastrous effects considering how much of the web runs on LE certs these days.

Granted if it's configured properly everyone should have 30 days of leeway before having to issue new certs...

mark_round 10 days ago | |

"We have been made aware of a potential incident and are shutting down all issuance" seems to lean towards the latter and not simply a technical issue :(

tptacek 10 days ago | | |

Josh Aas is on the thread. It's a compliance issue, they expect to be issuing shortly.

Dylan16807 10 days ago | | |

What makes you think that?

x86a 10 days ago |

They had scheduled maintenance a few hours ago, https://letsencrypt.status.io/pages/maintenance/55957a99e800...

hosteur 10 days ago |

Related Cloudflare issue: https://www.cloudflarestatus.com/incidents/z3vgxxfvt3yb

cedws 10 days ago |

Discord is out too right now, probably unrelated though.

aroman 10 days ago | |

Just speculating, but I don't think it's unrelated. Discord heavily utilizes Cloudflare, and Cloudflare uses Let's Encrypt for a certificate issuance. If they happened to have a certificate signing dependency in some operational rollout today, I think it could explain it. Certainly the timing is very correlated.

shye 9 days ago | | |

For domains where they handle the certificates, Cloudflare utilizes multiple CAs, to avoid such a single point of failure: I’ve seen Cloudflare managed certificates issued by Let’s Encrypt, Google Cloud, Sectigo, and SSL.com.

Cloudflare does provide the option for customers to manage their own certificates, which would make it the customer’s responsibility to have alternatives issuers when needed.

cedws 10 days ago | | |

I guess we'll find out but it would be surprising if they use Let's Encrypt for their backend services. The front door is issued by Google Trust Services.

winstonwinston 10 days ago | | |

On my account they always serve Google issued certificates. There is also Let’s encrypt certificate but it is not used though. I guess that’s a fail-safe.

everfrustrated 9 days ago | | |

Cloudflare doesn't issue let's encrypt certs

reaperducer 10 days ago | | |

Just speculating

Then why post? HN is for informed discussion, not every random thought in someone's head.

Certainly the timing is very correlated.

I had chocolate ice cream for breakfast. Certainly the timing is very corrolated [sic].

esseph 10 days ago |

Some other internet things going on to Discord, Cloudflare, and others.

Unsure if related in any way.

DerekL 10 days ago |

The title is misspelled. It's “Let's Encrypt”, with an apostrophe.

DerekL 9 days ago | |

It's fixed now. Thanks!

jstyles 10 days ago |

Hopefully just a minor mississuance incident and not something more serious.

croemer 10 days ago |

Issuance was stopped almost 2 hours ago: May 8, 2026 18:37 UTC.

bstsb 10 days ago |

in other news, Digicert's Secure Site Pro certificates are down to only $5,880.00 yearly for one wildcard domain!

baigy 10 days ago |

dang I'll have to return to paid certs again?

t1234s 10 days ago |

How much of the internet is going to fail because of this?

nicolas_17 10 days ago | |

None, unless someone is renewing their certificates only 2 hours before they expire, which is a dumb thing to do.

walrus01 10 days ago | |

It's an interesting thought experiment to consider how much of 'the internet' would still find a way to communicate with each other and fix the problem if somebody waved a magic wand and all http and https servers and clients magically disappeared worldwide instantly.

For instance some of the folks who run core BGP at medium to large sized ISPs would revert back to a few legacy IRC channels and find each other to chat and figure out WTF is going on.

"the internet" would still exist, a subset of the application layer stuff that runs on top it wouldn't...

ben0x539 10 days ago | | |

I bet we'd see a bunch of unexpected breakage in presumed-to-be-lower-level-than-http[s] infrastructure so that eg. your legacy IRC server goes down because it's running on rented hardware and the hosting provider's operations rely on some internal http services.

noplacelikehome 10 days ago |

Here's hoping it's not another security nightmare...