lets encrypt certbot renew 遇到的问题 [ocsp…are we offline?]

在执行自动更新命令时,出错了,为如下提示

WARNING: unable to check for updates.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/dajuan.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OCSP check failed for /etc/letsencrypt/archive/dajuan.com/cert1.pem (are we offline?)
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/ocsp.py", line 188, in _check_ocsp_cryptography
    timeout=timeout)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/api.py", line 119, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/sessions.py", line 530, in request
    resp = self.send(prep, **send_kwargs)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/sessions.py", line 643, in send
    r = adapter.send(request, **kwargs)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
ConnectionError: HTTPConnectionPool(host='ocsp.int-x3.letsencrypt.org', port=80): Max retries exceeded with url: / (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 113] No route to host',))
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/dajuan.com/fullchain.pem expires on 2020-11-25 (skipped)
No renewals were attempted.

这是是首行的错误提示:

OCSP check failed for /etc/letsencrypt/archive/dajuan.com/cert1.pem (are we offline?)

经搜索原因:原因是 ocsp.int-x3.letsencrypt.org 的 cname 域名 a771.dscq.akamai.net 受到了干扰。
可以采用本地修改hosts的方案进行临时处理,在/etc/hosts中添加

23.32.3.72     ocsp.int-x3.letsencrypt.org

然后再执行

certbot-auto renew

就是如下的提示了

[root@VM-0-7-centos ~]# certbot-auto renew
WARNING: unable to check for updates.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/dajuan.com.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/dajuan.com/fullchain.pem expires on 2020-11-25 (skipped)
No renewals were attempted.

Leave a Reply