Just bumped into acme-dns-persist-01. It would be very interesting if it could be used along with workload identity systems such as SPIFFE/SPIRE. it would give a clear path for example, for a workload running on a bare metal host, to prove it is who it says it is automatically using a TPM to a SPIRE server, then exchange that for a valid certificate from LetsEncrypt.
Does the acme-dns-persist-01 work with CA's that rotate every day like is typical in a SPIRE environment?