0

Update 2023-05-06: Yep. Looks like CentOS7's NetworkManager overwriting /etc/resolv.conf. Haven't had an issue since disabling it.

Update 2023-04-20: It looks like CentOS7's NetworkManager is the culprit. It was overwriting /etc/resolv.conf. I've since stopped and disabled NetworkManager and my resolv.conf has maintained the DNS entries I had intended from the file in /etc/sysconfig/network-scripts/. Haven't gotten a renewal error since. Will answer my question when more time has passed.

Been using certbot for years on CentOS 7. It's in a daily cron job. It seems that every time one of my domains comes up for renewal the cron will report the following:

Failed to renew certificate renewthisdomain.com with error: hostname 'acme-v02.api.letsencrypt.org' doesn't match 'renewthisdomain.com'
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/renewthisdomain.com/fullchain.pem (failure)

I then have to ssh into my server and run certbot renew which always fails the first time (same error message as above) and then when I try it a second time it always seem to succeed then.

Judging by the error there's something going on with DNS lookups but I can't figure it out

I run my own DNS servers on the same machines (master and slave) but everything else works fine as far as I can tell.

Here's maybe a related error from /var/log/letsencrypt/letsencrypt.log:

2023-04-08 11:32:34,314:DEBUG:certbot.ocsp:Error while running openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/domain.com-0001/chain20.pem -cert /etc/letsencrypt/archive/domain.com-0001/cert20.pem -CAfile /etc/letsencrypt/archive/domain.com-0001/chain20.pem -verify_other /etc/letsencrypt/archive/domain.com-0001/chain20.pem -trust_other -timeout 10 -header Host r3.o.lencr.org -url http://r3.o.lencr.org.

Error querying OCSP responder

2023-04-08 11:32:34,314:INFO:certbot.ocsp:OCSP check failed for /etc/letsencrypt/archive/domain.com-0001/cert20.pem (are we offline?)
2023-04-08 11:32:34,316:INFO:certbot._internal.renewal:Cert not yet due for renewal

Thanks

Improve this question
3
  • What addresses does a lookup for that domain actually return?
    – grawity_u1686
    Commented Apr 8, 2023 at 16:02
  • It's various domains and any of them I try to dig give me the proper IP addresses
    – Shovas
    Commented Apr 8, 2023 at 17:08
  • Try adding --force-renew as described here.
    – harrymc
    Commented Apr 8, 2023 at 20:22

1 Answer 1

Reset to default
0

Turns out it was CentOS7's NetworkManager ovewriting /etc/resolv.conf so some kind of DNS resolution must have been failing frequently. After stopping and disabling it, I haven't had any issues in about a month when I would previously get multiple issues per week.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .