Thank for such quick follow ups.
Our registra is dynodot, they are not listed at
Therefore,
it does not look like let’s encrypt will be able to do DNS-01 validation (even if I create the _acme-challenge for every subdomain we need).
our HTTP (port 80) is currently closed. So cannot do http-based validation. But will check, may be that’s the route we can take
–
WRT to the other points in my question. Thank you for clarification. It seems that I would have to use hooks in one of the clients, to follow the renewal with an execution of custom ‘toJKS’ and scp scripts.