"once you have completed the verification process for a given sub-domain you do not need to go through the same process again to issue a new certificate"<p>Authz (the ACME terminology for a data structure recording that your account is validated for a particular FQDN) have finite lifetime, right now it's 90 days, long enough to get one default renewal but it is expected to shorten to seven days or less at some point.<p>So, you should still expect to re-do the DNS validation challenge a few times per year.