In my perspective the validation of a domain name boils down to: can a validation tool reach a webserver located at an AAAA/A-record for the requested domain name. I assume that redirection at the webserver-side to a HTTPS resource is allowed. Please confirm this statement.
If the redirection is allowed we may arrive at a chicken/egg problem. A Lets’s Encrypt certificate may be expired before the renewal process has been done, or the webserver can be started with self signed certificates. To me it sounds as being strict on SSL validation goes beyond checking if the document can be retrieved from the IP address defined by the A/AAAA-record.
You can’t get the certificate unless HSTS is disabled for the domain. I am trying to confirm that this requirement is the Let’s Encrypt policy. Since someone else also states that Bolder doesn’t have this requirement, and at the github ticket someone suggested DNS validation, this topic already helps me greatly.
Let’s Encrypt does not follow HSTS - so no it’s not policy or a requirement to “disable” HSTS.
You could use DNS validation, yes - or there is no reason why you can’t use HTTP validation. It looks as if acmeclient ( the client you are using ) does check / require a valid SSL cert - this is not a requirement of Let’s Encrypt.
Since it turns out that boulder doesn’t validate TLS certificates in HTTPS redirects issued from HTTP URL retrievals for validation purposes, I’ve updated acmetool to reflect this. The fix is in v0.0.58.