Switching challenge type breaks on validation

[Roxedus]

I want to implement the scenario that got implemented with #235. It's working as expected, when challenge_validation_disable=True, without this any client fails. This seems to be because a2c is replying with the answer of the HTTP-01 challenge, and the failing dns lookup (as there is no dns record for this subdomain) for the internal record. I'm not sure if this is a regression (docs mention the existence of dns_update_script should force dns)

docker run -i -v $PWD/.lego:/.lego/ --rm --name lego \
  goacme/lego:v4.25.1 -s http://a2c-server:22280 -a --email "my@mail.com" \
  -d test6.internal.site --cert.timeout 180 --http run
2026/05/15 01:14:44 [INFO] [test6.internal.site] acme: Obtaining bundled SAN certificate
2026/05/15 01:14:45 [INFO] [test6.internal.site] AuthURL: http://a2c-server:22280/acme/authz/rAbrmPkWoouQ
2026/05/15 01:14:45 [INFO] [test6.internal.site] acme: Could not find solver for: tls-alpn-01
2026/05/15 01:14:45 [INFO] [test6.internal.site] acme: use http-01 solver
2026/05/15 01:14:45 [INFO] [test6.internal.site] acme: Trying to solve HTTP-01
2026/05/15 01:14:45 [INFO] Deactivating auth: http://a2c-server:22280/acme/authz/rAbrmPkWoouQ
2026/05/15 01:14:45 Could not obtain certificates:
        error: one or more domains had a problem:
[test6.internal.site] invalid challenge: acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS resolution failed: A: NXDOMAIN: test6.internal.site does not exist; AAAA: NXDOMAIN: test6.internal.site does not exist

(The lego version is the last one that accepts non-https acme servers, up-to-date acme.sh also fails with the forwarded error from the http challenge)

[grindsa]

Hi,

When using HTTP challenge validation between the ACME client and acme2certifier (a2c), a2c needs to connect back to the client to validate the key authorization. This requires that your client (e.g., test6.internal.site) has a corresponding A or AAAA DNS record pointing to its reachable (internal) IP address.

The above-mentioned dns_update_script is designed to enforce the use of DNS-01 challenge validation between the proxy and the ACME CA server

If your client does not have a DNS record, you have the following options:

• Disable challenge validation, or
• Configure pre-validation in combination with acme-profiling

/G

[Roxedus]

Hi. I understand the flow now, my confusion stemmed from understanding the In case you are planning to use HTTP Challenge validaton section in the acme_ca document wrong, I was under the impression that was for using the http validation on both ends, which in hindsight it is not.

I will likely land on disabling acme-level verification, and rely on PTR records.