When presented with a CSR which contains a wildcard DNS name the RA should strip the leading wildcard label and create an authorization for the base domain instead.
policy/AuthorityImpl.ChallengesFor will need to have it's interface changed in order to be able either be told the identifier is a substitute for a wildcard or provide a way to restrict which challenges are returned (so that we can get only a core.ChallengeTypeDNS01). Another option is that we just don't bother calling policy/AuthorityImpl.ChallengesFor and manually create the challenges list at the call site but this seems like it could lead to issues down the road possibly?
This was resolved with https://github.com/letsencrypt/boulder/commit/1c99f91733ec136f205e6a192f1abe0ae1c3f342
Most helpful comment
This was resolved with https://github.com/letsencrypt/boulder/commit/1c99f91733ec136f205e6a192f1abe0ae1c3f342