I have a domain that has a LetsEncrypt certificate on it thats behind AWS Cloudfront. I set it up before putting Cloundfront on it so everything worked fine.
Now it comes time to renew and it fails because:
The server experienced a TLS error during domain verification :: Failed to connect to xxx.xxx.xxx.xxx:443 for TLS-SNI-01 challenge
Now I have an AWS cert on Cloudfront but I wouldn't think that would cause the issue. Basically I think Cloudfront is returning a 404 thats unexpected because I'm not allowing certain headers or attributes through. I did whitelist Content-Type. I find lots of information around doing it with S3 but I've got an automated task renewing and I'd like to keep the AWS certificate if possible rather than the LetsEncrypt cert on Cloudfront.
How can I get the challenge to work through Cloudfront?
You could use the http-01 challenge and place the file on your origin. I personally have a cache behavior configured for .well-known/* to go to a specific origin that that challenge file is placed on.