Today, there are 4 checks in total: 1 from a primary validation location, and 3 from secondary validation locations.
The primary location must always succeed to validate the challenge, and at least 2 out of the 3 secondary locations must succeed. Currently, the secondary locations are all hosted on AWS, but in different regions.
These details are subject to change. (Source).
All of the validation methods require DNS lookups.
Let's Encrypt runs recursive DNS resolvers at each of the 4 locations.
So when you perform any challenge for a domain, each of the 4 DNS resolvers will send DNS queries to the domain's authoritative nameservers.
For HTTP validation, in addition to the DNS lookups as described above, you will also see 4 HTTP requests to the webserver hosting your domain, one from each validation location.
(I would add, that this does not mean there are only 4 IP addresses. There are multiple IP addresses at each location).
With this error specifically, this means that not enough of the validation locations succeeded in performing the DNS lookup of your domain.
This means either:
- The primary validation location failed to get a response to its DNS queries, or
- More than 1 of the secondary validation locations failed to get a response to their DNS queries