UPDATE 08 February 2022: The rate limit adjustments have been reverted to normal conditions. You can read about our rate limits here. UPDATE 29 January 2022: We completed the revocation of approximately 2.7 million certificates validated with the TLS-ALPN-01 method. If a subscriber did not renew and replace their certificate before revocation, clients may see warnings and errors. Affected subscrib

We have made two changes to the way that our TLS-ALPN-01 challenge validation works. These changes will only affect clients that specifically use TLS-ALPN-01; for example, it is not a default choice in Certbot. First, we now guarantee that our client which reaches out to conduct the “acme-tls/1” handshake will negotiate TLS version 1.2 or higher. If your ACME client or integration only supports a

For compatibility with older Android devices, we'll be relying on a signature from an expired root, which is supported by Android. However, as Ryan Sleevi points out in “Path Building vs Path Verifying,” older versions of OpenSSL will reject a certificate chain that includes a signature by an expired root, even if OpenSSL could validate the chain by ignoring that certificate. Let’s Encrypt is not

The original protocol used by Let’s Encrypt for certificate issuance and management is called ACMEv1. In March of 2018 we introduced support for ACMEv2, a newer version of the protocol that matches what was finalized today as RFC 8555. We have been encouraging subscribers to move to the ACMEv2 protocol. Today we are announcing an end of life plan for ACMEv1. In November of 2019 we will stop allowi

We previously communicated that we would launch ACMEv2 and wildcard certificate support on February 27th. ACMEv2 and wildcard support is nearly ready but we will be delaying the full launch in order to give our teams more time to complete testing and quality assurance activities. While we work hard to hit deadlines, we are inclined to prioritize a quality release over hitting a deadline. The bigge

[Update 2018-01-18: The most up-to-date summary is at IMPORTANT: What you need to know about TLS-SNI validation issues] At approximately 5 p.m. Pacific time on January 9, 2018, we received a report from Frans Rosén of Detectify outlining a method of exploiting some shared hosting infrastructures to obtain certificates for domains he did not control, by making use of the ACME TLS-SNI-01 challenge t

We've completed our full postmortem for last Friday's outage and want to provide some details to our community. From 2017-05-18 17:25 UTC to 2017-05-19 06:05 UTC Let's Encrypt had a minor OCSP outage, serving HTTP 400's to a subset of OCSP clients that were making well-formed requests. From 2017-05-19 06:05 UTC to 2017-05-19 22:58 UTC, this became a major outage of both OCSP and the ACME API used