I want to see if I can expect Automated Certificate Managment (ACM) to update the certificate with the current DNS and CDN configurations.
Currently, ACM follows HTTP-01 challenge to verify the custom domain with up to 10 redirects. As of writing this, Heroku manages updates of TLS certificates on the host
va-acm.heroku.com. If requests are redirected to this host, you can expect that Heroku will be able to update the certificate when needed (intermediate URLs may vary):
$ curl -IL http://custom-domain.example.com/.well-known/acme-challenge/ HTTP/1.1 301 Moved Permanently Content-Length: 0 Location: https://custom-domain.example.com/.well-known/acme-challenge/ HTTP/1.1 301 Moved Permanently Location: https://va-acm.heroku.com/challenge?host=custom-domain.example.com&token= HTTP/1.1 405 Method Not Allowed
Source IP ranges for domain verification is not published. For a Private Space app, please make sure to open requests to the app to the paths under