It is a common problem, that with regular renewed certificates (LE), you will have to also adjust your TLSA RR.
However, this can be avoided, if the LE renew process will use the same keypair and your TLSA RR is set to something like "3 1 1" in the cert usage parameters, so that only the "SubjectPublicKeyInfo" will be hashed.
So I wonder how exactly the LE renew process is implemented and if this subject is coverd ;)
More information directly on the LE community: