The German Wikipedia article on Let’s Encrypt is saying the following:
[Validation requests] have to be answered correctly by the server. The protocol offers different possibilities to do this. With one of them, the ACME client software sets up a specially configured TLS server that replies to special requests from the certification authority using server name indication (domain validation via server name indication, DVSNS). However, this method is only accepted for issuing the first certificate for a domain (so called trust on first use, TOFU). Afterwards, alternative validation via an existing certificate is employed. If one loses control over an already issued certificate, one must therefore acquire a certificate from a third party in order to get a Let’s Encrypt certificate again.
Now I have not read anything about validation via existing certificates on the Let’s Encrypt website. It also does not make sense to me. After all, if someone gets hold of my private key, he would be able to get a new certificate for my domains, and use this certificate to get another certificate, and so on. Is this statement on Wikipedia wrong? Is there some truth in it?