On 2023-06-15, Let’s Encrypt updated our subscriber certificate profile to remove the ISRG CPS OID and URL from the Certificate Policies extension. While this change was being deployed, it was possible for a single ACME Order Finalization flow to produce a precertificate and final certificate with the same serial number but different contents in this extension.
Out of an abundance of caution we halted issuance while we investigated the issue. Once we confirmed that the issue was transient and occurred only during the deploy, we resumed issuance.
We have identified a preliminary set of 645 affected serial numbers. We are in the process of confirming the affected certificates and developing remediations to prevent similar incidents from happening in the future. We will revoke the affected certificates within 5 days.
Please follow along for full details on Bugzilla.