Customer have existing LE cert for example.com (close to expiration)
He wants to renew cert
Add new domain to it.
During DOV (domain ownership verification), LE script can perform get for https://example.com
If it does return valid LE cert **during TLS handshake**, domain is considered as approved and no further DOV is needed.
I.e. the response might be 404 or whatever - script looks only for cert returned during TLS handshake.
A variation or same DOV might be just a valid certificate, not necessarily issued by LE.
Nope, not good enough…
If it’ll be the only DOV, than anybody can get a cert for a site, which uses LE cert already.
Scratch it, please.