The RA rejects wildcard authorizations with DNS-Account-01 challenges during reuse, though the PA offers DNS-Account-01 for wildcards.

Steps to Reproduce:

1. Enable DNS-Account-01
2. Complete an order for *.example.com using DNS-Account-01
3. Create a second order for *.example.com
4. The RA fails when reusing the authorization

Expected: The RA reuses the DNS-Account-01 authorization.

Actual: The RA returns SA.GetAuthorizations returned a DNS wildcard authz ({authz_id}) with invalid challenge(s).

Root Cause:

In ra/ra.go:2244-2248, the authorization reuse validation only accepts DNS-01 for wildcards. This check was added in commit 52615d9 before DNS-Account-01 wildcard support was added (commit 46013ea). The PA was updated to offer both challenge types (policy/pa.go:614-619), but the RA's reuse validation wasn't updated.

if ident.Type == identifier.TypeDNS && strings.HasPrefix(ident.Value, "*.") &&
    (len(authz.Challenges) != 1 || authz.Challenges[0].Type != core.ChallengeTypeDNS01) {
    return nil, berrors.InternalServerError(
        "SA.GetAuthorizations returned a DNS wildcard authz (%s) with invalid challenge(s)",
        authz.ID)
}

Why Tests Missed This:

Integration tests use random domains, preventing authorization reuse.

Fix:

Accept both DNS-01 and DNS-Account-01 for wildcards.