Is DNS record for 'acme-challenge' required?

Yes, this. Adding Sweden would be good idea too. If you only support Singapore and USA you are already "failing" one location. Right now only one failure is allowed so your renewals are more vulnerable to temp failures.

Many people have used geo blocking to allow USA-only and gotten away with it. This was never best practice and LE has long had a non-USA validation center (now they have two and in different countries than before). Such geo-blocking doesn't add any security. Although I agree it eliminates a fair number of nuisance probes.

You should read Peter's wiki post that he linked to. Let's Encrypt is not unique in doing this and will (almost certainly) be included in the CA/B forum Baseline Requirements soon.

I've linked to the topic in that wiki that speaks to this but the entire thread is an excellent description of the whats and whys of this.

3 Likes