They’re not reachable from the Internet, and Let’s Encrypt requires them to be accessible for the validations necessary to issue certificates by the challenges HTTP-01 or TLS-ALPN-01
To get certificates for internal-only domain names, you’ll need to use the DNS challenge. This article describes how to do that.