Let’s Encrypt revoking few certificates due to CAA (Certification Authority Authorization) Rechecking Bug and this bug is confirmed by the Let’s Encrypt team on February 29th, 2020. They also confirmed that 3,048,289+ certificates were affected and these will be revoked. They may send an email when they revoke your certificate.
For more details check the Lets Encrypt community links revoking-certain-certificates-on-march-4 CAA-Rechecking-Bug
You can check the revoke status with the following command in Linux:
curl -XPOST -d ‘fqdn=www.domain.com’ https://unboundtest.com/caaproblem/checkhost
The certificate currently available on www.domain.com needs renewal because it is affected by the Let’s Encrypt CAA rechecking problem. Its serial number is 032367e8e4b5993ce8881ada79253445d7c7. See your ACME client documentation for instructions on how to renew a certificate.
If its okay you see the following message
The certificate currently available on www.domain.com is OK. It is not one of the certificates affected by the Let’s Encrypt CAA rechecking problem. Its serial number is eede6560cd35c0af02000000005971b70000
You can check online with the following link CAA-BUGCHECK
Revocation check status – Revocation-Check
Download CAA Incident affected serials
Linux Command to check the serial number of the certificate:
openssl s_client -connect domain.com:443 -showcerts -servername domain.com </dev/null 2>/dev/null | openssl x509 -text -noout | grep -A 1 Serial\ Number | tr -d :
zgrep “serial number” caa-rechecking-incident-affected-serials.txt.gz