I want to see if I can expect Automated Certificate Managment (ACM) to update the certificate with the current DNS and CDN configurations.
Currently, ACM follows HTTP-01 challenge to verify the custom domain with up to 10 redirects. As of writing this, Heroku manages updates of TLS certificates on the host
va-acm.heroku.com. If requests are redirected to this host, you can expect that Heroku will be able to update the certificate when needed (intermediate URLs may vary):
$ curl -iL http://custom-domain.example.com/.well-known/acme-challenge/T HTTP/1.1 301 Moved Permanently Content-Length: 0 Location: https://va-acm.heroku.com/challenge?host=custom-domain.example.com&token=T HTTP/1.1 404 Not Found Content-Length: 0
Source IP ranges for domain verification is not published. For a Private Space app, please make sure to open requests to the app to the paths under