Can you post the rest of Certbot's output?
In CloudFront, how is the Origin Protocol Policy set? Is CloudFront contacting your origin over HTTP or over HTTPS?
You're really using 0.38.0? That's not a typo of 0.28.0, is it?
My first guess about what might be happening should be fixed as of Certbot 0.31.0.
No. For one thing, you'd have to repeat that every time you renewed the certificate. It's possible to fix things so that it will work with CloudFront.