Just wanted to comment on this. While it may seem like a feature to have your client able to get through the cert ordering process as quickly as possible (particularly during development when you’re testing things), it’s not really something that actually matters in production in the vast majority of cases. In a typical environment, a cert is only going to be renewed once every 60’ish days (assuming you start trying to renew 30 days out which is what most clients tend to do. Whether that renewal takes seconds, minutes, or hours is irrelevant as long as it eventually succeeds prior to the previous cert’s expiration. Even if the initial attempt fails for some reason (ACME server issues, temporary DNS issues, etc), a well functioning client will retry until it succeeds.
So I guess the point is, don’t worry too much about optimizing the speed of your client. Worry more about making it robust and able to gracefully deal with failures and retry. If that means adding some extra delays, so be it.
Most clients that deal with automating DNS challenges expect that everyone’s DNS propagation delay is going to be different and make it configurable option. Some try to automate the checking of authoritative records, but there are an increasing number of environments where that’s not possible from the server running the ACME client due to corporate policies trying to prevent data exfiltration via DNS by blocking external DNS resolution or just that the server doesn’t actually have outbound Internet access.