现象
certbot renew时出现类似的错误:
OCSP check failed for /xxx/cert1.pem (are we offline?)
原因
经搜索原因:原因是 ocsp.int-x3.letsencrypt.org 的 cname 域名 a771.dscq.akamai.net 受到了干扰。
可以采用本地修改hosts的方案进行临时处理,在/etc/hosts中添加
23.32.3.72 ocsp.int-x3.letsencrypt.org
验证
# openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/xxx/chain1.pem -cert /etc/letsencrypt/archive/xxx/cert1.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/archive/xxx/chain1.pem -verify_other /etc/letsencrypt/archive/xxx/chain1.pem -trust_other -header Host ocsp.int-x3.letsencrypt.org
Response verify OK
/etc/letsencrypt/archive/www.itranscloud.com/cert1.pem: good
This Update: May 14 10:00:00 2020 GMT
Next Update: May 21 10:00:00 2020 GMT
添加后,在重试 certbot renew,ok,正常
ref:https://holmesian.org/letsencrypt-ocsp-fix