Issue
I want to see if I can expect Automated Certificate Managment (ACM) to update the certificate with the current DNS and CDN configurations.
Resolution
Currently, ACM follows HTTP-01 challenge to verify the custom domain with up to 10 redirects. As of writing this, Heroku manages updates of TLS certificates on the host va-acm.heroku.com
. If requests are redirected to this host, you can expect that Heroku will be able to update the certificate when needed (intermediate URLs may vary):
$ curl -iL http://custom-domain.example.com/.well-known/acme-challenge/T
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Location: https://va-acm.heroku.com/challenge?host=custom-domain.example.com&token=T
HTTP/1.1 404 Not Found
Content-Length: 0
Source IP ranges for domain verification is not published. For a Private Space app, please make sure to open requests to the app to the paths under /.well-known/acme-challenge/
.