@wfuener With webroot, the Certbot client will create the challenge file but it is the Lets Encrypt servers which must find it. So, the LE server will make a request similar to:
@MikeMcQ Thanks for the info! This process is making much more sense. I can hit the IP address of the server but not with the domain name. That must be the root of the problem then. I will fix that and hopefully everything works!