Update 2023-05-06: Yep. Looks like CentOS7's NetworkManager overwriting /etc/resolv.conf. Haven't had an issue since disabling it.
Update 2023-04-20: It looks like CentOS7's NetworkManager is the culprit. It was overwriting /etc/resolv.conf. I've since stopped and disabled NetworkManager and my resolv.conf has maintained the DNS entries I had intended from the file in /etc/sysconfig/network-scripts/. Haven't gotten a renewal error since. Will answer my question when more time has passed.
Been using certbot for years on CentOS 7. It's in a daily cron job. It seems that every time one of my domains comes up for renewal the cron will report the following:
Failed to renew certificate renewthisdomain.com with error: hostname 'acme-v02.api.letsencrypt.org' doesn't match 'renewthisdomain.com'
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/renewthisdomain.com/fullchain.pem (failure)
I then have to ssh into my server and run certbot renew
which always fails the first time (same error message as above) and then when I try it a second time it always seem to succeed then.
Judging by the error there's something going on with DNS lookups but I can't figure it out
I run my own DNS servers on the same machines (master and slave) but everything else works fine as far as I can tell.
Here's maybe a related error from /var/log/letsencrypt/letsencrypt.log:
2023-04-08 11:32:34,314:DEBUG:certbot.ocsp:Error while running openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/domain.com-0001/chain20.pem -cert /etc/letsencrypt/archive/domain.com-0001/cert20.pem -CAfile /etc/letsencrypt/archive/domain.com-0001/chain20.pem -verify_other /etc/letsencrypt/archive/domain.com-0001/chain20.pem -trust_other -timeout 10 -header Host r3.o.lencr.org -url http://r3.o.lencr.org.
Error querying OCSP responder
2023-04-08 11:32:34,314:INFO:certbot.ocsp:OCSP check failed for /etc/letsencrypt/archive/domain.com-0001/cert20.pem (are we offline?)
2023-04-08 11:32:34,316:INFO:certbot._internal.renewal:Cert not yet due for renewal
Thanks
dig
give me the proper IP addresses--force-renew
as described here.