Letsencrypt certficates are issued by valid public CAs Certbot tool works with any ACME compliant CA to automate certificate acquistion process.
Setup a basic nginx web server as CA authenticator in AWS with HTTP access:
SSH into nginx and create .well-known folder
mkdir /tmp/.well-known
Modify nginx conf to add following section. The webroot plugin in certbot uses this folder structure to authenticate the domain ownership.
server {