BTW, is there a reason you need Let’s Encrypt certificates if your site is behind Cloudfront? I assume you are trying to secure the link from Cloudfront to your servers, which makes sense. But I’m wondering if Cloudfront offers other options for validating those certificates, like pinning to a specific self-signed certificate, or using an internal-only CA like Cloudflare’s Origin CA.