We have identified that our cross-certified subordinate CAs are missing Extended Key Usage (EKU) fields which are now required.
We are revoking and reissuing our cross-signs of X2/YR by X1, and YE by X2.
This will not affect most Let’s Encrypt subscribers. We will not be revoking the end-entity certificates, as they are still compliant. However, any certificates issued from our roots YE and YR may not chain successfully to our previous roots X1 and X2 without an updated cross-signed intermediate in their chain.
If you have a certificate issued by the “tlsserver” or “shortlived” ACME profiles, we recommend renewing them. Our ACME Renewal Information API is signalling affected certificates to renew now.