Just for complete transparency, the initial system was based on a FIPS kernel; I've just bought up an alternative that's using a non-FIPS kernel and I'm seeing the same thing...
Somewhat frustrating.
Are there any commands that I can run that would verify the files that the certbot container created?