OK, no AAAA record rules out the classic IPv6 over IPv4 address for validation with Let’s Encrypt issue.
Note that this error message comes from Trellis, that does a check on its own, before actually making Let’s Encrypt validate the domain (this can save quotas).
So when your workstation/CI server that runs Ansible (applies the Trellis playbook) is not able to resolve the domain or fetch the file (fail2ban comes to mind), this pre-check will fail, even when Let’s Encrypt may actually be able to validate:
So check on your workstation/CI server on which Ansible is used to apply the Trellis playbook, whether you can resolve that domain and whether you can request files from that site. It may very well be that you added test records to /etc/hosts or your local DNS server for example, that interferes with fetching the test file from the site by your own workstation/CI server.