Not having any Linux box at hand, I am using the IIS client. So forgive me if the following is an unsupported IIS client issue that is fixed in the Unix version.
It is completely clear to me why, but I can’t fix it, because http:||mysubdomain.mydomain.com has to point to the other server. If the ACME server would try https:||mysubdomain.mydomain.com/.wll-known/acme-challenge/abcdefgh...xyz, but ignore any certificate issue, he would successfully find the challenge. In my understanding, this behaviour wouldn’t introduce any new security holes over the current behaviour.
Is there anything I can do to get automated renewal working?
There are a couple of other options you could explore. Let’s Encrypt supports verification via DNS TXT records. This is supported by ACMESharp. However, this tends to be tricky to automate.
Another option would be to add a redirect on your port 80 server from http://sub.example.com/.well-known/acme-challenge/* to https://sub.example.com/.well-known/acme-challenge/*. The CA server will happily follow a redirect to HTTPS, so as long as you redirect all requests for .well-known/acme-challenge/* to HTTPS and host the challenge files there, this would work. You wouldn’t need to do anything actively on your port 80 server for each renewal, just a permanent “blanket” redirect.
If that’s not something you can do with the existing server on port 80, I’m afraid DNS-based validation is your only option at the moment.