(Was sleeping)
Everyone… it can take a few days for Caddy to detect the revocation and do the replacement. Caddy will DEFINITELY not let them expire, it won’t even let their OCSP staple expire. OCSP staples are usually valid for just a few days to a week, and Caddy refreshes them halfway through, so if will see the Revoked status in at most a few days once they are revoked. In the meantime Caddy will continue to serve Good OCSP staples.
You should be fine even if it takes a few days. Remember that Let’s Encrypt won’t revoke for another day or so yet.
It a-okay to be proactive and take extra initiative, of course. Especially if your users have clients that may not honor valid, signed OCSP responses. In that case just delete the certificates from Caddy’s storage and reload, and Caddy will right away get new certificates.
(I’m of course only talking about Caddy instances from the last ~6 months or so since this feature was released. V2.4.2 or higher. If you’re not already on the latest version, please upgrade!)
That is one way to do it, but the right value depends on you. You can set to 1 and it will always renew every time it scans certificates. Of course in production this will quickly run you up against duplicate cert rate limits enforced by Let’s Encrypt. But 1 will guarantee it renews them all. Just be sure to remove the custom value right away afterwards.