As far as I remember, I’ve read it somewhere that if you are requesting a certificate for a domain that already has a certificate, you are supposed to sign a challenge with the corresponding private key to prove ownership.
I’ve recently obtained a LE certificate for a domain which has had a previous cert from a different vendor without going through this extra check. I used manual mode from a different machine with no access to the old private key file, and I don’t even see any entries in my server’s log for requesting the challenge file over https.
Did I overlook something and can the letsencrypt client perform this check in some tricky way? Is it only a planned feature? Or did I just spot a bug?