In the process of working through an issue with verification that depended on access to the .well-known/acme-challenge, I discovered the the problem was that SELinux was blocking it, causing a 403 error. Running
setenforce Permissive at the command line allowed me to create the cert and I've successfully installed it.
Will access be to .well-known/acme-challenge be necessary to renew the cert? Or is this verification process only performed during cert creation?