Letsencrypt - do I need to keep ".well-known" accessible for certificate renewal?

Yes, it's needed each time a certificate is renewed. You still need to verify that the calling system is in control of the resource.

Lets Encrypt can create a new directory when you renew your ssl. So, yes you need the directory for renewal, but you can remove it after the first validation or a renewal.