That is the best option. All requests will happen within the /.well-known/acme-challenge directory, so you just need to handle that path.
The requests will only happen while certs are being processed, so you can use iptables chains to reroute traffic only when Certbot (or whichever client you use) is running.
This comment has my install notes for ip-chains rules: