The Route 53 zone is called i.ncdn.moe but there doesn't seem to be any zone for ncdn.moe.
That's not a valid setup in the DNS. Due to how DNS resolution works, such an invalid delegation is usually, mostly functional. It's not functional for Let's Encrypt's explicit query for a CAA record for ncdn.moe .
Coincidentally, someone else had the same problem, with a different DNS service and for different reasons, earlier today:
You need to create an ncdn.moe zone in Route 53. (Or any other DNS provider, really, but why make it more complicated?)
Then you'd create i record(s) to replicate the current setup. (Either equivalent CloudFront alias record(s), or -- for the complicated option -- NS records to delegate to the existing zone.)
(Due to how Route 53 works, an ncdn.moe zone would inevitably have different nameservers than your existing i.ncdn.moe zone, so you'd have to adjust the delegation at your registrar.)