Judging from the above though, the responses are simply not updating, OCSP stapling can’t help there.

What’s not clear yet is whether this was a CDN fault or something broke at Let’s Encrypt and no new OCSP answers were being signed. But either way it’s concerning to have nobody actually on top of the incident for seemingly 3+ hours AND that there wasn’t anything in place to detect the looming catastrophe. Presumably these OCSP answers were antique, though not yet expired, on Saturday, and the problem could have been found and fixed then.

Once upon a time Let’s Encrypt published statistics showing OCSP signing. Those went away. I presumed they had simply gone from public visibility but perhaps instead Let’s Encrypt ceased even to monitor its own systems in this regard and thus got blind-sided. This is especially important because it takes time to sign OCSP responses, so if the process to sign them broke, or the signed ones are lost and must be recreated, that’s going to take many hours.