As highlighted in the forums by Sean, Let's Encrypt recently discovered a bug in their Certificate Authority (aka CAA). The implication of this is that some of the certificates that they have issued, they shouldn't have!