That is definitely a design quirk in zerossl acmev2 which I’m not too happy with. I’ve been wondering about a better solution as well. Optimally one that works in different deployment types.
I was thinking of maybe extending the default behavior on port 80. So that it always responds on that port and not only during certificate generation and then redirects to the https port by default. That would probably be a small change only in acmev2, but might improve the experience by a lot.
I have been using it successfuly for years.
Main difference is it integrates with phoenix and you have to specify the domains up front. The certificate is requested on application start.
BTW, it seems to me that the verification files generated in /.well-known aren’t deleted.
