Let’s Encrypt – Stopping Issuance for Potential Incident

https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/69fe2d6698ca07050eb4b1b3

119•rbaudibert•1h ago

Comments

esseph•1h ago

Some other internet things going on to Discord, Cloudflare, and others.

Unsure if related in any way.

noplacelikehome•1h ago

Here's hoping it's not another security nightmare...

mcherm•1h ago

There is one little-discussed down side to ever shorter-lived certificates...

Analemma_•1h ago

Only if you’re reissuing right before expiration, which is a stupid thing to do. If you have a 47-day cert, best practice is to reissue on day 30, meaning LE would need to be down for more than two weeks before anything went wrong.

If this outage breaks your system, that’s entirely on you, not Let’s Encrypt.

rconti•59m ago

You're holding your 6-day cert wrong

cachius•54m ago

Thought that was the iPhone 6

bakies•54m ago

Chill, it's 2 hours. They recommend renewing at the first third of the 160 hrs.

gbear605•57m ago

Only as long as LE isn’t down for 17 days, then we’re in big trouble.

eqvinox•57m ago

Short-lived = 6 days. Even if you reissue after 2 or 3 days, that's… not a lot of breathing room.

bakies•53m ago

3-4 days is a ton of breathing room

striking•52m ago

You have to opt in, and they are honest about the tradeoffs when discussing them:

> Short-lived certificates are opt-in and we have no plan to make them the default at this time. Subscribers that have fully automated their renewal process should be able to switch to short-lived certificates easily if they wish, but we understand that not everyone is in that position and generally comfortable with this significantly shorter lifetime. We hope that over time everyone moves to automated solutions and we can demonstrate that short-lived certificates work well.

https://letsencrypt.org/2026/01/15/6day-and-ip-general-avail...

eqvinox•48m ago

That's not really an answer, especially with:

> We hope that over time everyone moves to automated solutions and we can demonstrate that short-lived certificates work well.

They're expressly trying to show that this is a viable approach. It's actually kinda good that this outage, whatever it is, is happening now, as it's giving them a chance to demonstrate (or not) that they can deliver.

nottorp•38m ago

> no plan to make them the default at this time

At this time! Boil the frog slowly...

jameshart•55m ago

Useful context: https://letsencrypt.org/2026/01/15/6day-and-ip-general-avail...

jldugger•49m ago

What people are responding to is a slippery slope. Before LE, most certs lasted years. LE started with 90 days, and now cuts to 45, but it's hard to see the logic that stops it from sliding to 15, or even 24 hours.

devrand•55m ago

If you're using ACME to handle certificate rotation, can't you just configure multiple providers?

dizhn•51m ago

Letsencrypt is not the only acme authority. ZeroSSL is the other popular one. There are others.

mark_round•1h ago

That's really not good. Fortunately I'm not using any short-lived certificates like the recently announced 6 day certs, so have some breathing room. Without further details, I'd imagine anyone with a short-lived cert is getting a bit sweaty right now.

Let's Encrypt has become one of those pieces of critical Internet infrastructure that just quietly hums away in the background, the fact that they've stopped ALL issuance is deeply concerning.

walrus01•59m ago

Considering the open source nature of Letsencrypt, I wonder what the barriers/costs would be (theoretically) to a wealthy benefactor who wanted to duplicate its server side infrastructure and a core staffing level of persons, and fund a "parallel" equally trusted, alternative entity with a solid governing board. Same general idea how Acton funded the Signal foundation.

Somewhere that none of the physical infrastructure/hosting environment overlapped with existing Letsencrypt stuff so that the failure of one entity would have zero blast radius affecting the other.

I know there's a long and complicated process to go through to become a trusted root CA and get your CA public cert auto-installed in every OS and browser trust store. Indeed in the early days of letsencrypt I recall their root CA certs were signed by other older root CAs.

dochtman•42m ago

A lot of Let’s Encrypt is not the software but a bunch of auditing and process that ensure compliance and make it legible to the required auditors.

walrus01•37m ago

I understand there's probably a big thorny problem of duplicating the corporate process/policies on the human level that ensure compliance, but is the back-end software pipelining stuff to CT logs not also something that can be replicated? Or is it not part of the server side stuff which has been open sourced?

https://letsencrypt.org/docs/ct-logs/

computer23•31m ago

Google has their own free ACME endpoint: https://pki.goog/

nijave•2m ago

ZeroSSL should also be drop in

cachius•56m ago

Wonder what incident that even could have been.

Havoc•55m ago

>pieces of critical Internet infrastructure that just quietly hums away in the background,

And donation supported no less

jcims•50m ago

I just find it incredible that in 30+ years the industry hasn't adapted one bit to the brittle failure modes of certificates. I did some subcontract work with Verisign to deploy their CA infrastructure back in the early oughties and it felt like a solution was overdue way back then. I was at Google in the teensies when gmail broke due to expired SMTP certs. WAAAY overdue by then. Here we are, a decade later and it's still the same lol.

packetlost•47m ago

I mean, what's the alternative? I struggle to come up with a solution that doesn't boil down to the same primitive operations and trust model.

yjftsjthsd-h•47m ago

Other than automating renewal - which we have made huge strides on - what adaption would you want to see?

AlotOfReading•2m ago

I'd like to see better support for networks that aren't connected to the broader internet, or moving away from X.509. Note that these are contradictory. X.509 was intentionally designed to support offline verification and has a lot of elaborate ceremony to support it (like all the rest of the OSI stack). The industry just doesn't, so we get the worst of both worlds.

jaas•41m ago

Stopping all issuance is an pretty standard response if a CA thinks what they are issuing might be non-compliant in any way. It's an action we're required to take. It's not necessarily a sign of a more dramatic failure mode or key compromise. That said, the impact is the same for as long as the downtime lasts so it is unfortunate and we're sorry for the disruption.

I don't think the premise behind short lived (six day) certificates being viable is that CA issuance never goes down. Sure, the runway is shorter, but not that short. Most down time is a few hours or less, which is not a problem for six day certificates that should be renewed every three days.

Short lived certificates are optional though, so if it's not worth it to you there are longer lifetime options.

nottorp•39m ago

> like the recently announced 6 day certs

Just you wait for the 1 hour and 59 minutes certs! For security!

kalmarv•1h ago

Hopefully it's just a technical issue and not something like a key compromise. This could have disastrous effects considering how much of the web runs on LE certs these days.

Granted if it's configured properly everyone should have 30 days of leeway before having to issue new certs...

mark_round•1h ago

"We have been made aware of a potential incident and are shutting down all issuance" seems to lean towards the latter and not simply a technical issue :(

tptacek•55m ago

Josh Aas is on the thread. It's a compliance issue, they expect to be issuing shortly.

rvnx•49m ago

What if they get kicked out of trusted roots because non-compliant ?

nicolas_17•34m ago

That's why they take incidents like this seriously and stop issuance until it's fixed. They could get kicked out of trusted roots otherwise.

cedws•1h ago

Discord is out too right now, probably unrelated though.

aroman•57m ago

Just speculating, but I don't think it's unrelated. Discord heavily utilizes Cloudflare, and Cloudflare uses Let's Encrypt for a certificate issuance. If they happened to have a certificate signing dependency in some operational rollout today, I think it could explain it. Certainly the timing is very correlated.

cedws•47m ago

I guess we'll find out but it would be surprising if they use Let's Encrypt for their backend services. The front door is issued by Google Trust Services.

reaperducer•40m ago

Just speculating

Then why post? HN is for informed discussion, not every random thought in someone's head.

Certainly the timing is very correlated.

I had chocolate ice cream for breakfast. Certainly the timing is very corrolated [sic].

winstonwinston•23m ago

On my account they always serve Google issued certificates. There is also Let’s encrypt certificate but it is not used though. I guess that’s a fail-safe.

jstyles•1h ago

Hopefully just a minor mississuance incident and not something more serious.

bravetraveler•59m ago

It's certainly an incident when ceasing to issue certificates... after doing absolutely everything, including limiting lifetime, to encourage their frequent renewal

bstsb•57m ago

in other news, Digicert's Secure Site Pro certificates are down to only $5,880.00 yearly for one wildcard domain!

jaas•56m ago

This is a compliance incident, we should be issuing again shortly.

Update: Issuance is back up.

gabeio•54m ago

> This is a compliance incident

Uh. I don't know if I like the sound of that...

walrus01•47m ago

Indeed. "Compliance" can mean some internal audit/monitoring system has tripped and requires in depth investigation and preservation of logging, or it can mean "federal law enforcement with badges are right now standing in our datacenter and/or NOC serving a court order".

tptacek•45m ago

At times like this it's worth remembering that message boards strongly favor whatever narrative is going to be most fun and exciting to talk about.

walrus01•44m ago

I sincerely hope it's the most mundane and least spectacular explanation possible, just saying from my point above that compliance has a very wide range of possible meanings and interpretations (also depending on the background/career POV of the reader), until the incident is further explained..

jaas•38m ago

In that sense, prepare yourself to be bored.

michaelt•21m ago

I heard the CEO of Lets Encrypt, Warren Buffet, accidentally started a fire while charging his e-unicycle in the data centre and that knocked out the server that issues the certificates. They've got a backup, but it's in a safe only two people have keys to; one keyholder, Anne Hathaway, is at a parrot show in Singapore this week and her flight back is delayed due to fuel shortages. The other keyholder, Henry Kissinger, it turns out has been dead for 3 years.

eqvinox•41m ago

Federal law enforcement in your DC isn't something you'd call a "compliance" issue, that's not what that term means. Yes it's various derivatives of the English word "comply", but this is a field of well-defined verbiage, and that ain't it. Compliance means they failed (or are being questioned) about following particular practices that they have agreed to, nothing else really.

NB: "legal compliance" is another term. So is "{legal,lawful} enforcement"

john_strinlai•17m ago

"compliance incident" is the catchall for everything from a spelling error on a CPS (certification practice statement) or being one second late on revocation, all the way up to to key compromise.

it is almost always closer to the spelling mistake side than it is the key compromise side of the spectrum.

a peak at https://bugzilla.mozilla.org/buglist.cgi?product=CA%20Progra... will show that most compliance issues, to the general public, are quite mundane.

rbaudibert•54m ago

Thanks for the assurance, jaas! Keep up the good work

washingupliquid•47m ago

Real soon now?

theduderoger•22m ago

can you update the status page with this information?

x86a•56m ago

They had scheduled maintenance a few hours ago, https://letsencrypt.status.io/pages/maintenance/55957a99e800...

t1234s•54m ago

How much of the internet is going to fail because of this?

walrus01•40m ago

It's an interesting thought experiment to consider how much of 'the internet' would still find a way to communicate with each other and fix the problem if somebody waved a magic wand and all http and https servers and clients magically disappeared worldwide instantly.

For instance some of the folks who run core BGP at medium to large sized ISPs would revert back to a few legacy IRC channels and find each other to chat and figure out WTF is going on.

"the internet" would still exist, a subset of the application layer stuff that runs on top it wouldn't...

ben0x539•19m ago

I bet we'd see a bunch of unexpected breakage in presumed-to-be-lower-level-than-http[s] infrastructure so that eg. your legacy IRC server goes down because it's running on rented hardware and the hosting provider's operations rely on some internal http services.

nicolas_17•34m ago

None, unless someone is renewing their certificates only 2 hours before they expire, which is a dumb thing to do.

baigy•49m ago

dang I'll have to return to paid certs again?

DerekL•48m ago

The title is misspelled. It's “Let's Encrypt”, with an apostrophe.

croemer•42m ago

Issuance was stopped almost 2 hours ago: May 8, 2026 18:37 UTC.

hosteur•24m ago

Related Cloudflare issue: https://www.cloudflarestatus.com/incidents/z3vgxxfvt3yb

Google Cloud Fraud Defence is just WEI repackaged

Discord Incident

AI is breaking two vulnerability cultures

Cartoon Network Flash Games

Man Finds $1M Worth of Yu-Gi-Oh Cards in a Dumpster

Mux (YC W16) Is Hiring

You gave me a u32. I gave you root. (io_uring ZCRX freelist LPE)

Serving a website on a Raspberry Pi Zero running in RAM

My first in-prod corrupted hard drive problem

An Introduction to Meshtastic

David Attenborough's 100th Birthday

Google Broke reCAPTCHA for De-Googled Android Users

A web page that shows you everything the browser told it without asking

PC Engine CPU

Roadside Attraction

How do I deal with memory leaks? (2022)

Show HN: GETadb.com – every GET request creates a DB

Rumors of my death are slightly exaggerated

Cloudflare to cut about 20% of its workforce

Mojo 1.0 Beta

Apple, Intel have reached preliminary chip-making deal

Poland is now among the 20 largest economies

US Government releases first batch of UAP documents and videos

Canvas online again as ShinyHunters threatens to leak schools’ data

What we lost the last time code got cheap

Maybe you shouldn't install new software for a bit

Show HN: Git for AI Agents

Podman rootless containers and the Copy Fail exploit

Ask HN: We just had an actual UUID v4 collision...

Dirtyfrag: Universal Linux LPE