You wouldn’t normally use Lets Encrypt certs for xpack.security.transport.ssl because that means you have to trust the Lets Encrypt root certs, which means that essentially anyone can get a certificate which would permit them to add a node to your cluster. Instead if you don’t want to use the enrollment mechanism you would create your own CA so that you can control exactly which certificates are issued and therefore exactly which nodes can join the cluster.
See Security settings in Elasticsearch | Elasticsearch Guide [8.6] | Elastic, particularly the xpack.security.transport.ssl.certificate_authorities and/or xpack.security.transport.ssl.truststore.path settings.