I know that Amazon’s ELBs don’t support SNI in general, but they can also be configured to do “TCP pass through” as a layer 4 load balancer. When configured this way, ELBs don’t terminate TLS, but just pass on the encrypted stream to the instances behind the ELB.
I thought that configuring an ELB this way would allow for the SNI validation method to work, but this doesn’t seem to be the case. I haven’t dived into exactly why, and my understanding of layer 4 load balancing with encrypted packets isn’t strong, but I haven’t seen this exact issue mentioned anywhere online with ACME or Let’s Encrypt, so I wanted to document it.
I’m guessing your issue isn’t related to ELB (unless there’s a difference somewhere in our configs). Feel free to post logs if you need any assistance!