Josh Aas is on the thread. It's a compliance issue, they expect to be issuing shortly.

What if they get kicked out of trusted roots because non-compliant ?

You don't get kicked out of trusted roots for non-compliance, you get kicked out for continuing to knowingly issue non-compliant certs, failing to revoke non-compliant certs in a timely fashion once discovered, etc.

Pausing issuance immediately upon discovery of a compliance issue is the absolute correct response so as long as they do their followup appropriately there is absolutely zero risk of being distrusted.

▲

rvnx 8 hours ago | parent [-]

> You don't get kicked out of trusted roots for non-compliance

Of course you do, it's the main reason CAs fix compliance issues so fast.

Symantec, WoSign, Entrust, etc repeatedly had non-compliance issues and that led to them being removed (even if fixed)

Here was not a big issue: they forgot a flag to narrow the delegation of trust (but nobody knew that a few hours ago)

Still it can be very problematic, there is a quite similar situation here https://bugzilla.mozilla.org/show_bug.cgi?id=1883843

A basic non-compliance issue, just a web link missing, but huge consequences if they don’t fix it.

Repeated non-compliance (like the Symantec) will eventually get you removed even if fixed.

The core definition of losing “trust” in someone.

Keep in mind that few hours ago, nobody knew what the violation was. Turns out it was an easy fix.

	▲	tptacek 8 hours ago \| parent [-]
		You didn't actually respond to what the preceding comment argued. They were just pointing out the distinction between Symantec and WoSign and ordinary compliance events.

▲

nicolas_17 11 hours ago | parent | prev | next [-]

That's why they take incidents like this seriously and stop issuance until it's fixed. They could get kicked out of trusted roots otherwise.

▲

nijave 10 hours ago | parent | prev [-]

Change your config to ZeroSSL or another free ACME provider?