Short question: can you 301 redirect tls-sni-01 challenges to a central server to be verified?
Longer version: We’re looking at setting up a central server to issue certificates for a range of servers (none of which can easily run any of the letsencrypt clients directly).
Initially, I thought we could set up a central server, and run letsencrypt certonly in webroot mode, then get our front-end servers to 301 redirect any http-01 challenge to /webroot/.well-known/acme-challenge/XYZ on the central server.
But I’ve since realised some of our servers don’t listen on port 80 ruling this out.
So I believe my option now is to use standalone mode which issues tls-sni-01 challenges directly to port 443.
BUT, I’m not at all sure a 301 redirect of this sort of request would work since the TLC/SNI phase would have to complete before the server could issue a 301?
Can anyone who understands this more fully confirm is this is a non-starter?