Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I think the error message is pretty clear. The Let's Encrypt server will use the public DNS system to identify your domain name. You must have an A record (if IPv4) and/or an AAAA record (if IPv6).
I see your apex domain has these records but your itflow subdomain has none.
In fact, your apex domain has 4 A records and 4 AAAA records. If those are the same records you plan to use for your itflow subdomain that becomes more complicated. Multi-server and CDN configs need proper care to handle HTTP Challenges (like the apache authenticator you are using).
We would need more info to give advice if that's the case.
I do not see itflow.omahatechnology.net mapping to that IPv4 Address, I see this IPv4 Address 18.104.22.168;
if it maps to more than one IP Address this is fine, but all must respond basically the same.