When doing initial ordering of a certificate using challenge tls-alpn-01, I have to construct a self-signed certificate as explained here rfc8737.
So far so good. Eventually my program has to renew the certificate still using tls-alpn-01.
Do I need to re-run the process using a new self-signed certificate, or is acme/letsencrypt able to renew on the fly just by looking at the existing soon-to-expire certificate?
My testing shows the latter seems to work (if I reuse the same account and keypair), but I can't figure out if it's the right way to do it, or if I am required to redo the self-signed cert ceremony?