Issue
I want to see if I can expect Automated Certificate Managment (ACM) to update the certificate with the current DNS and CDN configurations.
Resolution
Currently, ACM follows HTTP-01 challenge to verify the custom domain with up to 10 redirects. As of writing this, Heroku manages updates of TLS certificates on the host va-acm.heroku.com. If requests are redirected to this host, you can expect that Heroku will be able to update the certificate when needed (intermediate URLs may vary):
$ curl -iL http://custom-domain.example.com/.well-known/acme-challenge/T
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Location: https://va-acm.heroku.com/challenge?host=custom-domain.example.com&token=T
HTTP/1.1 404 Not Found
Content-Length: 0
Source IP ranges for domain verification is not published. For a Private Space app, please make sure to open requests to the app to the paths under /.well-known/acme-challenge/.
Note: The Stale caches can impact the DNS record updates(like updating domains, making changes to DNS configuration, and migrating DNS providers), hence it's recommended to reduce the TTL values of the DNS records before you start making modifications. The shorter TTL indicates that the cached data should expire sooner, allowing updated information to propagate faster.