Scheduled TLS Certificate Update — Let's Encrypt Intermediate Rotation

Update timeline

1. resolved Jun 03, 2026, 08:17 PM UTC

   SUMMARY We are rotating the Let's Encrypt intermediate certificates used to issue the TLS certificates that secure our services. Our certificates will continue to chain to the same trusted root — ISRG Root X1 — but through Let's Encrypt's new "Generation Y" intermediate hierarchy. For the vast majority of customers, no action is required. If your systems validate our certificates against the public root store — the default for virtually all browsers, operating systems, and HTTP client libraries — this change is completely transparent. The only customers who may be affected are those who pin a specific Let's Encrypt intermediate certificate. WHY WE'RE MAKING THIS CHANGE The intermediate certificates currently in our chain are approaching the end of their lifecycle, with the existing intermediate path expiring in approximately nine months. Rotating well ahead of that deadline guarantees uninterrupted certificate issuance and renewal with no disruption to your integrations. THE CHAIN OF TRUST A TLS certificate is never validated on its own. It is verified through a chain that links the connection back to a root certificate your device already trusts. Today, our certificates chain like this: Your connection → Smarty leaf certificate → Let's Encrypt intermediate → ISRG Root X1 After this update, they will chain like this: Your connection → Smarty leaf certificate → Let's Encrypt Generation Y intermediate (YR / YE) → ISRG Root YR / YE → ISRG Root X1 (via cross-sign) The destination is unchanged. Both the old and new paths terminate at ISRG Root X1, the RSA root that ships in every current major trust store. Let's Encrypt cross-signed its new Generation Y roots with the existing X1 and X2 roots specifically so that anything already trusting X1 continues to work without modification. The path is longer; the anchor of trust is identical.