Let’s Encrypt temporarily halted all certificate issuance on May 8, 2026, due to a critical issue involving a cross-signed certificate that linked their existing Generation X root to the upcoming Generation Y root infrastructure. The incident prompted a complete shutdown of certificate issuance, affecting both production and staging environments. Engineers became aware of the problem at 18:37 UTC and immediately paused certificate issuance as a precaution. This affected the ACME API endpoints and portal environments hosted across two high-assurance data centers. By 21:03 UTC, issuance resumed after approximately two and a half hours, but all certificate generation was rolled back to the Generation X root as a direct result of the cross-signed issue. This rollback specifically impacts two ACME certificate profiles: tlsserver and shortlived. The timing of the incident is notable since Let’s Encrypt had announced significant platform changes scheduled for May 13, 2026. These changes include the tlsserver ACME profile beginning to issue 45-day certificates, a reduction from the current 90-day period. Additionally, the tlsclient profile will be restricted to ACME accounts with prior certificate requests and will end full support on July 8, 2026. The classic ACME profile is also set to transition to Generation Y intermediates to maintain compatibility across client environments. Despite the incident, these changes are live in the staging environment and remain on track for the production rollout, assuming the root certificate issue is resolved. Let’s Encrypt has not disclosed whether any incorrect certificates were distributed before the halt. Administrators using automated ACME-based renewal workflows, especially those utilizing the tlsserver or shortlived profiles, should closely monitor renewal logs and verify that certificates issued around May 8 chain correctly to the expected root. Further updates and support are available at community.letsencrypt.org.