ok - I have the configuration as Kent describes. Looking the log for https-portal as it starts up it shows:
Verifying staging.mycompany.com...
Traceback (most recent call last):
File "/bin/acme_tiny", line 197, in
main(sys.argv[1:])
File "/bin/acme_tiny", line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File "/bin/acme_tiny", line 149, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for staging.mycompany.com: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://staging.mycompany.com/.well-known/acme-challenge/uzVYs8V9eRxsEM2Pwy-byRcNpbfomumHouHfl0rKxJ4', u'hostname': u'staging.mycompany.com', u'addressUsed': u'35.182.69.66', u'port': u'80', u'addressesResolved': [u'35.182.69.66', u'3.97.128.163']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/25028809470/JfXSyA', u'token': u'uzVYs8V9eRxsEM2Pwy-byRcNpbfomumHouHfl0rKxJ4', u'error': {u'status': 400, u'type': u'urn:ietf:params:acme:error:connection', u'detail': u'Fetching http://staging.mycompany.com/.well-known/acme-challenge/uzVYs8V9eRxsEM2Pwy-byRcNpbfomumHouHfl0rKxJ4: Timeout during connect (likely firewall problem)'}, u'validated': u'2021-08-25T15:43:46Z', u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'staging.mycompany.com'}, u'expires': u'2021-09-01T15:43:45Z'}

Failed to sign staging.mycompany.com, is DNS set up properly?

Failed to obtain certs for staging.mycompany.com

(not actually "mycompany.com")

Any thoughts? I think the DNS is set up correctly - it is the same as several other services running in the same AWS account.

Stephen.