As far as I remember, I’ve read it somewhere that if you are requesting a certificate for a domain that already has a certificate, you are supposed to sign a challenge with the corresponding private key to prove ownership.
I’ve recently obtained a LE certificate for a domain which has had a previous cert from a different vendor without going through this extra check. I used manual mode from a different machine with no access to the old private key file, and I don’t even see any entries in my server’s log for requesting the challenge file over https.
Did I overlook something and can the letsencrypt client perform this check in some tricky way? Is it only a planned feature? Or did I just spot a bug?
Do you have some more information about this? Mainly I’m interested in whether there’s a way around it – otherwise what are folks like myself who have domains on CloudFlare for which we have no access to the private keys supposed to do if we want to migrate off of that platform and/or expand our services beyond those that CloudFlare supports?