The rate limit being hit is Certificates per Registered Domain (50 per week).
Let's Debug says:
The 'Certificates per Registered Domain' limit (50 certificates per week that share the same Registered Domain: tickoweb.be) has been exceeded. There is no way to work around this rate limit. The next non-renewal certificate for this Registered Domain should be issuable after 2021-09-24 12:40:11 +0000 UTC (1h49m0s from now).
As for the renewals, I don't know the rate limits well enough to answer what's going wrong here. Maybe the system is confused and doesn't see your renewals as renewals.
At least for this cert, you actually have several more weeks of use left in it - so it is not critical at this point.
If any other FQDNs are much more critical...
I would say that you may be able to use another FREE CA until this problem gets cleared up here.
It looks like your site is set up to have an unbounded number of subdomains (one for each event using your platform), but that you host and control all of the content on every subdomain (they're not handed out to your clients for them to control, so they don't need to be sandboxed from each other). Why not use a single wildcard cert for this?
Although wildcard cert use would minimize the number of certs and renewals.
Multiple IPs are seen and also multiple subdomains are being used.
[not all FQDNs have only two dots - some have three dots]
So some care would have to be taken to include the right number of wildcard SAN entries on each of the systems in use.
Even the base domain resolves to yet another IP.
Not saying it's impossible... Just saying it might not be as super simple as their current process nor as one would expect/hope with implementing wildcard certs correctly.
[in this particular scenario]
But yes, I do agree that this is also a viable workaround to the current situation.
We are considering a wildcard for everything under the main domain (*.tickoweb.be), and specific certificates for others (foo.bar.tickoweb.be). It's on the wishlist, just not implemented yet. It's not as straightforward as, indeed, the infra here is slightly more complicated than the average setup.
While it is true that this would (currently) work around the bulk of the issues now, it still leaves the question as to why this is happening at all. Indeed, we would still have the same problem with the 4th-level subdomains.
Thanks for all your input so far, it's greatly appreciated!
LetsEncrypt staff identified this as an unintended regression caused by recent changes. This issue will likely affect many other users until resolved, but it is indeed a bug and the LE Staff will be addressing it.
I am sorry for being sparse on the details here. The LE Staff is busy addressing this and some other matters, and hastily provided us (community moderators) with a high level explanation. I don't want to paraphrase any of the information they've shared incorrectly.