You can definitely have problems like this. For example, LE uses mixed-case DNS queries which mitigate some kinds of DNS attacks; there were several significant DNS appliance and software vendors which initially didn’t use the behavior that LE required. It took some effort to get them to update their software.
If you do have names that you’re trying to issue for where some of the infrastructure is under the control of your customers or partners, you can expect some challenges (in both senses!) where things break due to software incompatibility or misconfiguration. I think this is rare but a large provider dealing with huge numbers of names will definitely come across it.
If you control the infrastructure yourself (for example, if you run the DNS servers that LE is querying and the web servers—if any—to which challenge connections are made), I think you can get to a high level of reliability. As we’ve mentioned, although there is no formal commercial support, the LE engineers care about your problems and are very accessible. I’ve been involved in and witnessed some pretty elaborate debugging efforts where issuance was failing in a particular country or for a particular vendor’s products and we generally did a good job of getting to the bottom of why and figuring out how to fix it.
I think the cases that we’re not doing a good job with aren’t ones that will be relevant to you:
- End-users who don’t have the right background for the tools that they’re trying to use, or who aren’t choosing the right tools for their use cases.
- Vendors who develop their own Let’s Encrypt clients but don’t participate in the forum.
Well, maybe also
- People who, for brand or client confidentiality reasons, don’t want to debug in public.