Is there anything to suggest if this relates to Certbot or API provisioning only? or both? We've checked a whole bunch of API v1 provisioned certs against their tool and nothing has been listed so far.
FWIW I think the reason we're unaffected (as far as we can tell so far) is because we're not re-issuing certs within a short time period. The bug their end was to do with checking CAA records, if you re-issued the cert for a multi-domain cert within a short period of time after the initial provision then it wouldn't re-check the CAA records. This meant that subsequent CAA changes wouldn't be checked and theoretically a cert could be re-issued despite a CAA record being added to prevent this. As i'm reading it, if you didn't re-issue within this timeframe then your cert can be assumed to be correct as the original CAA check wasn't a problem.
