feat: add ACME DNS-PERSIST-01 challenge support (IETF draft-ietf-acme-dns-persist)

Standing TXT record at _validation-persist.<domain> eliminates per-renewal
DNS updates. Auto-fallback to dns-01 if CA doesn't offer dns-persist-01.
ScriptDNSSolver extended with PresentPersist method. Configurable via
CERTCTL_ACME_CHALLENGE_TYPE=dns-persist-01 and
CERTCTL_ACME_DNS_PERSIST_ISSUER_DOMAIN env vars.

Also fixes IsExpired edge-case test in discovery_test.go that always failed
due to time.Now() drift between test setup and method invocation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/config/config.go

@@ -67,11 +67,12 @@ type StepCAConfig struct {
 
 // ACMEConfig contains ACME issuer connector configuration.
 type ACMEConfig struct {
-	DirectoryURL     string
-	Email            string
-	ChallengeType    string // "http-01" (default) or "dns-01"
-	DNSPresentScript string
-	DNSCleanUpScript string
+	DirectoryURL           string
+	Email                  string
+	ChallengeType          string // "http-01" (default), "dns-01", or "dns-persist-01"
+	DNSPresentScript       string
+	DNSCleanUpScript       string
+	DNSPersistIssuerDomain string // Required for dns-persist-01 (e.g., "letsencrypt.org")
 }
 
 // OpenSSLConfig contains OpenSSL/Custom CA issuer connector configuration.