During secondary validation: no valid A records found

[malemodel]

hi all...

i couldn't find anything online with clear answer for the issue below...

it looks like domains with expired certificates keep sending back this below when an attempt is made to call acme with --renew. it's the second time it happens in about a month for 2 different domains that have expired certificates. renewing domains that are still within the expiration date is not an issue...

mydomain.com :Verify error:During secondary validation: no valid A records found for mydomain.com; no valid AAAA records found for mydomain.com

dig clearly returns the A record which hasn't changed in years...

in addition... i see the "challenge" files and their contents written under .well-known/acme-challenge/... so that part works. it's not that those are missing. currently have 5 - one for each attempt to renew the certificate.

i would like to know how to resolve the "secondary validation" issue...

thanks...
Steps to reproduce

acme.sh --debug --renew -d mydomain.com
Debug log
Wed May 29 17:18:33 UTC 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/357072665122/_peAsQ'
[Wed May 29 17:18:33 UTC 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L '
[Wed May 29 17:18:33 UTC 2024] _ret='0'
[Wed May 29 17:18:33 UTC 2024] code='200'
[Wed May 29 17:18:33 UTC 2024] mydomain.com:Verify error:During secondary validation: no valid A records found for mydomain.com; no valid AAAA records found for mydomain.com
[Wed May 29 17:18:33 UTC 2024] Debug: get token url.

[webprofusion-chrisc]

"Secondary validation" is when the CA (Let's Encrypt) has already checked your http challenge response OK, but when they check it from a different geographic location it fails. You are most likely geoblocking traffic from certain countries (or all non-US etc). You need to either not block geographically or just block certain countries you have a problem with, alternatively use a web application firewall to allow all http requests for /.well-known/acme-challenge/* paths.

[webprofusion-chrisc]

Note that Let's Encrypt recently started checking http challenge responses from more countries (mainly europe and singapore I think), which is why your validation is not failing.

[malemodel]

finally. thank you.
i don't need the domain to be accessed oversees. so it would be a good command option to do something like --no-geo or similar. there is no easy way to automate dns geo access with domain renewal every 60 - 90 days. again, this is for domains that are only to be accessed from the US. need a solution.