We recently had to migrate our service to new infrastructure but were unable to obtain certificates from LE - certbot noted the domains were rejected by policy. I request you review the policy to allow these domains.
I understand some cite RFC 2606 as reason why these names should not be allowed. RFC 2606 was updated by RFC 6761 in 2013, and clarifies that software should treat the example domains as any other domain.
Hello! I always found it amusing that the example.com cert is Organization-Validated, so one can be sure that it's the real example site, run by the IANA.
I'm not sure what "new infrastructure" you mean specifically, but in general I wouldn't expect new infrastructure to require also changing CAs. You should be able to automate getting certificates from Digicert using Certbot, as well as other CAs like Let's Encrypt.
I'm guessing that they currently block the names not out of some sort of feeling that the RFCs require it, but just because otherwise they'd be handling a lot of requests to validate that will end up failing. Or maybe just because it's a high-profile domain, and they like making sure that the organization actually wants to use their services first. I have this post bookmarked for officially requesting allowing a high-profile domain to be enabled for Let's Encrypt, though it's a few years old so maybe a staff member will hop on with more specific instruction for your case.