Source: https://community.letsencrypt.org/t/202 ... bug/114591On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §3.2.2.8), so any domain name that was validated more than 8 hours ago requires rechecking.
Looks like Let's Encrypt have found a bug in their CAA code, so Let's Encrypt certificate users will need to update there certificate(s)...
I have already updated the certificates Informed Webmaster uses from Let's Encrypt.