https://dnsviz.net/d/apps.epicentre-msf.org/dnssec/
Your NS records are inconsistent: Your registrar thinks the servers are
ns-780.awsdns-33.net, ns-1483.awsdns-57.org, ns-1974.awsdns-54.co.uk, ns-264.awsdns-33.com
But when queried, they're replying that the servers actually are these:
ns-479.awsdns-59.com, ns-927.awsdns-51.net, ns-1274.awsdns-31.org, ns-1617.awsdns-10.co.uk
You need to fix whichever one is wrong. We've seen this a few times with Route 53 with people saying that it used to work; I don't know if maybe there was a system (either on Let's Encrypt's side or on the Route 53 site) that was tolerating the misconfiguration better before, or if nameservers got changed somehow without the administrators knowing, but it needs to be fixed in order for your domain to work reliably.
The CAA record isn't the problem directly (it'd be fine if it were gone, through adding one can improve your domain's security), it's just that it needs to get a "no record" (or valid) lookup result in order to get a certificate, rather than an error.
In their documentation, this page's "Step 4" says how to go into the details of your hosted zone to find which nameservers the zone should be using, those are the nameservers that should be in both that zone's NS record and in your registrar's configuration for your domain.