An update, as the support ticket has now been closed:
All of the affected websites were proxied root domains or subdomains via cloudflare (A + AAAA records only).
So, there is a difference between manually renewing and auto-renewing. Not a huge one, but still. The auto-renewal function of Let's Encrypt has an exponential backoff, to avoid IP addresses from being rate limited or blacklisted. The fact that auto-renewal is first attempted 3 days before expiry instead of the more standard 30 days means there's less room for errors in renewal, leading to websites being unavailable.
As per support:
If you're using the Cloudflare proxy, there is no guarantee that it won't block the Let's Encrypt validation. Since they don't use a fixed pool of IPs it can't be whitelisted in Cloudflare. The best solution is to install the Cloudflare origin certificate instead.
So this will be relevant for anyone proxying their websites with Cloudflare, who are relying on Let's Encrypt certificates and Full (Strict) encryption between Cloudflare and the Origin Server. I've installed the Origin Certificates, and all is working fine now off course, as they are valid for 15 years.
However, I'm left with two concerns (that I could think of for now):
This setup of using Cloudflare Origin Certificates means that if a change needs to be made from proxying to non-proxy, that a Let's Encrypt certificate must be requested manually, because the origin certificate is only valid between Cloudflare and the origin server.
Also, it means that any package must have the "Allow self installation of SSL certificates" option enabled if there is a chance that a customer using the package would want to add the CDN service (which we offer separately). I'm not the biggest fan of allowing all customers to self-install any SSL certificate, but for now this will have to do.
