Issue
I want to see if I can expect Automated Certificate Managment (ACM) to update the certificate with the current DNS and CDN configurations.
Resolution
Currently, ACM follows HTTP-01 challenge to verify the custom domain with up to 10 redirects. As of writing this, Heroku manages updates of TLS certificates on the host va-acm.heroku.com. If requests are redirected to this host, you can expect that Heroku will be able to update the certificate when needed (intermediate URLs may vary):
$ curl -iL http://custom-domain.example.com/.well-known/acme-challenge/T
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Location: https://va-acm.heroku.com/challenge?host=custom-domain.example.com&token=T
HTTP/1.1 404 Not Found
Content-Length: 0
Source IP ranges for domain verification is not published. Please make sure to allow requests from all over the world to the custom domain under the paths /.well-known/acme-challenge/ and forward the requests to Heroku at the DNS target hostname.
Note: The Stale caches can impact the DNS record updates(like updating domains, making changes to DNS configuration, and migrating DNS providers), hence it's recommended to reduce the TTL values of the DNS records before you start making modifications. The shorter TTL indicates that the cached data should expire sooner, allowing updated information to propagate faster.