Let's Encrypt Outage Is Breaking Certificate Renewals Today

Let's Encrypt has been experiencing a major service disruption for most of today, with its ACME API returning errors that prevent new certificate issuance and automated renewals from completing successfully.

What Happened

The outage has persisted for the majority of June 19, according to the Let's Encrypt status page. The ACME protocol endpoint — the API that certbot, acme.sh, Caddy, Traefik, and every other automated cert client talks to — has been unreachable or returning failures for extended periods. New certificate orders are failing. Renewal jobs that fired during the outage window returned errors and did not renew.

Why It Matters

Let's Encrypt issues the vast majority of TLS certificates on the internet. Any server using certbot or another ACME client for automated renewal will have silently failed any jobs that ran during this window. The danger isn't immediate for most sites — Let's Encrypt certs are valid for 90 days and certbot defaults to attempting renewal at 30 days remaining — but if your cert was already in its final days, today's failure could leave you with an expiring or expired cert before the next renewal attempt.

If your cert expires within the next 24–48 hours and renewals failed today, your site will start throwing browser security warnings or go fully unreachable over HTTPS. Certbot retries on failure, but if the outage continues or already outlasted your retry window, there's no guarantee the next automatic attempt completes in time.

What To Do Right Now

1. Check your cert expiry dates immediately.

certbot certificates

Or probe the live cert directly:

echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

Anything expiring within 72 hours needs your attention now.

2. Watch the status page for the all-clear. Once service recovers, trigger a manual renewal on any at-risk hosts:

certbot renew --force-renewal

Omit --force-renewal if you only want to renew certs that are actually near expiry.

3. If you use DNS challenge (Cloudflare, Route53, etc.), your web server availability is irrelevant — but renewal still requires the ACME API to respond, so DNS-challenge setups are equally blocked during the outage.

4. Check your renewal timer. If a certbot.timer or cron job ran and failed today, it will not retry until its next scheduled window — typically twice daily. A manual trigger immediately after the outage clears is the safest recovery path.

5. Add expiry monitoring if you don't have it. A cron job that runs openssl s_client against your public domain and alerts when validity drops below 14 days catches this class of problem before users do. This outage is the reminder.

The good news: the 90-day cert lifetime combined with a 30-day renewal window gives most sites meaningful buffer. The bad news: that buffer erodes fast across a fleet of servers, especially if today's outage goes unnoticed until something breaks in production.