Perhaps the cPanel server has both AutoSSL and a separate Let's Encrypt plugin configured, and they're fighting with each other. I do not think it would be my plugin, because we have a fairly aggressive exponential back-off for certificates that are failing renewals.
Is there any evidence that the ACME requests originate from the same server?
When I have seen such a symptom in the past, it has usually been the case that there is a second cPanel server (or any kind of webserver, really), that believes it is authoritative for that domain and is going about its day under that assumption.
For example, when the domain has been migrated from one cPanel host to another, and the old cPanel account was not terminated.
Or when a user stopped using a CDN and the CDN doesn't have safeguards against it.