lets-encrypt-update (for vhosts) fails on ocf domains

[ethanwu10]

lets-encrypt-update, the script responsible for issuing certs for all vhosts (apphosting and normal vhosts), chokes on any internal vhosts for a subdomain of ocf.io or ocf.berkeley.edu since acme-tiny is expecting an http-01 challenge, but it is not offered.

Subdomains under root domains are already handled by the Puppet LE infrastructure (which uses dns-01 challenges), but currently build-vhosts uses the certificates obtained from lets-encrypt-update (last updated Jan 09).

> Traceback (most recent call last):
>   File "/usr/bin/acme-tiny", line 33, in <module>
>     sys.exit(load_entry_point('acme-tiny==4.1.0', 'console_scripts', 'acme-tiny')())
>   File "/usr/lib/python3/dist-packages/acme_tiny.py", line 194, in main
>     signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
>   File "/usr/lib/python3/dist-packages/acme_tiny.py", line 131, in get_crt
>     challenge = [c for c in authorization['challenges'] if c['type'] == "http-01"][0]
> IndexError: list index out of range
> 

[singingtelegram]

backported from bookworm, let's see if it works

[singingtelegram]

should work now