In the process of working through an issue with verification that depended on access to the .well-known/acme-challenge, I discovered the the problem was that SELinux was blocking it, causing a 403 error. Running setenforce Permissive at the command line allowed me to create the cert and I've successfully installed it.
Will access be to .well-known/acme-challenge be necessary to renew the cert? Or is this verification process only performed during cert creation?
Yes. The validations are cached for (currently) just 30 days. So if you renew the cert after 60 days, the validation is already invalidated.
No, renewing is just the term used for: "getting a brand new certificate, but with the same hostnames as a previously issued certificate". Technically, there's no difference between the first cert and a renewal. But it's useful to be able to differentiate between first certs and renewals for certain rate limit exemptions for example.