Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Upstream Let's Encrypt Profile Changes coming May 13, 2026

    Scheduled Pinned Locked Moved ACME
    1 Posts 1 Posters 316 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ Offline
      jimp Rebel Alliance Developer Netgate
      last edited by

      Current versions of the ACME package let you define a profile to use when requesting a certificate. Let's Encrypt is changing the behavior of some of those profiles next week, though they've been sending out announcements about the changes for a while now.

      The changes are:

      Let’s Encrypt will be making three previously-announced changes in one week, on May 13, 2026:

      • The tlsserver ACME profile will switch to 45-day certificates. This profile is opt-in, for use by early adopters. The full timeline of shortening our certificate’s lifetime to 45 days over the next two years can be found in our blog post, Decreasing Certificate Lifetimes to 45 Days
      • The tlsclient ACME profile will only be available to ACME accounts which have previously requested a certificate from that profile. That profile will be available until July 8, 2026. For more details, see Ending TLS Client Authentication Certificate Support.
      • The classic ACME profile will switch to using our new "Generation Y" intermediates. These intermediates chain to our existing X1 and X2 roots, so this change should not introduce compatibility issues.

      The default profile if you don't specify one when requesting a certificate is classic. So most users can expect to see some different intermediates coming in when renewing after the 13th.

      Eventually, Let's Encrypt is making the tlsserver profile the default instead, so if you use Let's Encrypt to protect public servers, now is probably a good time to start testing that profile in a staging environment. Honestly, most people won't notice a difference with it the way most services use TLS server certificates. It'll renew more often, but if it's automated, there's little cause for concern.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 6
      • First post
        Last post
      Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.