The Satisfy Any above may work in many cases, but it does require first creating the directory and getting the permissions correct. It’s not a silver bullet for all Apache + Drupal configurations.
For example, Apache servers using AllowOverride None and explicit Include(s) of .htaccess files in their Apache .conf files, for the performance benefit, would totally ignore the .well-known/.htaccess
Temporarily moving or renaming the Drupal .htaccess file, reloading Apache, running the letsencrypt client, moving Drupal .htaccess back, and reloading Apache again should always work. Albeit, if that is done on a production website the site would be broken for a brief period, so test first or run during a maintenance window.
Something like this should work on CentOS / RedHat 6 + Drupal 7 or 8 + Apache 2 stack
cd /{putYOURdirectoryhere}/public_html && mv .htaccess .htaccess.disabled && /etc/init.d/httpd reload && {put YOUR letsencrypt-auto command here} && mv .htaccess.disabled .htaccess && /etc/init.d/httpd reload
Then you may still need to install the SSL certificates manually if you’re not using an installer plugin, in which case you’d need to do another Apache reload after the certificates are installed.