Hi @bradpcmac,
I would request to your customer to create a CNAME record pointing to a domain that you control so you can update the txt record in the domain you control to issue a certificate.
Example:
Your customer domain is customer.tld
Your domain (you control the DNS of this domain): bradpcmac.tld
So you ask to your customer to create a CNAME record pointing to a subdomain controlled by you (for example customer.tld.bradpcmac.tld):
_acme-challenge.customer.tld. IN CNAME customer.tld.bradpcmac.tld
Once the customer confirms that they have added the CNAME record in their DNS servers you can proceed to issue a new certificate and when you get the token you only need to add it as a TXT record in the subdomain you control customer.tld.bradpcmac.tld
customer.tld.bradpcmac.tld. IN TXT herethetoken
Then Let’s Encrypt will try to validate the token and when it goes to _acme-challenge.customer.tld it follows the cname till your subdomain customer.tld.bradpcmac.tld that already has the TXT record with the right token to validate the domain.
I hope it is clear.
Cheers,
sahsanu