unless things have changed, let's encrypt used to specifically reject example.com. If you have a private CA for example.com, why not generate your own certificates and use those?