Removing/correcting existing SOA record to allow Let's Encrypt to generate SSL CA

Have you tried the Renew certificate button on the Custom domains page?

If that doesn’t work, there is possibly an issue is the background that neither of us can see. Possibly similar to this one.