On February 11, 2026, Let's Encrypt will begin issuing certificates with server-only authentication by default, potentially disrupting server-to-server connections in the XMPP network. This change affects how XMPP servers authenticate when establishing federation connections, as traditional TLS libraries may reject certificates lacking the client authentication extension. The shift stems from Let's Encrypt's decision to align more closely with web browser certificate usage patterns.

XMPP servers typically use certificates to verify both client logins and server-to-server communications. When servers connect to each other, the initiating server acts as a TLS client, requiring certificates that support both server and client authentication. Let's Encrypt's new default certificates will only specify server authentication usage, which could cause connection failures with servers that strictly enforce certificate validation rules.

Prosody XMPP server has already implemented support for server-only certificates in server-to-server connections, treating them as valid regardless of which server initiated the connection. However, other server implementations may require updates to handle these new certificates properly. Server operators should test their federation connections and ensure their software is compatible with the upcoming changes to maintain uninterrupted service.

Quick Fact: Let's Encrypt will roll out server-only certificates by default starting February 11, 2026.