No CAA record on id-rsa.pub (wildcard=false) contains the issuance domain "letsencrypt.org". You must either add an additional record to include "letsencrypt.org" or remove every existing CAA record. A list of the CAA records are provided in the details.
id-rsa.pub. 0 IN CAA 0 issue "amazonaws.com"