Yeah, getice.ca fails in the same way.
Let's Encrypt -- for now -- still has a whitelist of domains for which CAA errors are ignored. That's probably why getice.ca works.
August 15 is a bit late for this, but i think there may be a bug/limitation in the broken CAA whitelist.
- User has certificate for
grm.fleetnova.combut notfleetnova.com. - User tries to validate
grm.fleetnova.com. CAAquery forgrm.fleetnova.comfails, but it's on the exception list.CAAquery forfleetnova.comfails, but it's not on the exception list.CAAquery forcomsucceeds.- Validation fails with CAA error due to
fleetnova.comfailure.
It's only a hypothesis, but i think this could explain what @rictd is experiencing.
LookupCAA's exception check seems to be an "exact match" check rather than taking into account parent or child domains, so the exception list would need to have been manually generated to include failed domains and their parents (at least when their parents are also broken).
grm.fleetnova.com has past certificates and is in the SERVFAIL exception files you pasted the other day. fleetnova.com does not and is not.
getice.ca and www.getice.ca both have past certificates and are both on the list and @rictd was just able to get a new certificate for them.
What do you think? Other than "I wish it was September 8 already." 
If fleetnova.com is in the internal exception list, i guess i'm way off and something maybe weird is happening. If it isn't, the exception list or code may need to be updated to include parents where necessary.
Edit: Fix "example.com" and a couple errors. I should do editing before hitting submit...