Unfortunately, a bug in Let's Encrypt CAA (Certification Authority Authorization) code has forced the firm to revoke certificates. All Let's Encrypt certificates that might not have had proper CAA record checking will be revoked today.
Website owners will need to manually force renewal, otherwise browsers will start displaying TLS security warnings. Some website hosts will do this automatically for you.
Let's Encrypt uses Certificate Authority software called Boulder. Typically, a Web server that services many separate domain names and uses Let's Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain.In total, just over 3 million certificates are affected by this bug.
The bug LE discovered is that, rather than checking each domain name separately for valid CAA records authorizing that domain to be renewed by that server, Boulder would check a single one of the domains on that server n times (where n is the number of LE-serviced domains on that server). Let's Encrypt typically considers domain validation results good for 30 days from the time of validation—but CAA records specifically must be checked no more than eight hours prior to certificate issuance.
Via: ARS Technica