There is a difference between:
- getting/renewing a certificate
- using a certificate
To answer your question:
"Is let's encrypt certs valid for public servers only?"
No.
You could have some other system get, and renew, the cert(s) and then:
- place the cert(s) where the systems in the DMZ can reach them
- place the cert(s) directly into the servers in the DMZ
If there is no Internet IP for the names, you may have to use DNS authentication.
If you are going to use DNS authentication, you might as well get a wildcard cert.
[if one single wildcard can cover all the names in the DMZ - that simplifies things]