Thanks for taking the time to respond. This might be best discussed on
the serverfault page
To address your points:
1. Most DNS requests on the internet are unsecured. Why would this
issue be any different? Remember, the letsencrypt server connects to
Pound to initiate a DNS or HTTP challenge, not the other way around.
2. For an HTTP challenge, the letsencrypt server only utilizes ports 80
or 443, and those are already in use by the running Pound instance,
as you know. Pound does not support virtual directories, and the
webapp does not support virtual directories either. The new service
you propose is therefore unworkable in this scenario.
3. I solved the letsencrypt challenge problem myself using a DNS
challenge, and the complete solution to creating and deploying the
resulting SSL certificate is shown on the serverfault page. A few
questions have yet to be resolved, and I welcome a discussion on
those remaining points. There is no need to discuss the pros and
cons of the relative value of a DNS challenge vs a webapp challenge,
because that part was done, tested and deployed.