> Simpliest solution would be to switch off OCSP response verification.
I have just tried it. It takes two hits from a client to fill the cache of its worker process.
There are two problems with this:
- the other worker processes are not primed on restart, and therefore clients that
require ocsp stapling wil print an error instead of rendering the page (my FF does it).
- the stapling is not verified...
> Alternatively, provide appropriate certificates via the
> ssl_trusted_certificate directive, see
> http://nginx.org/r/ssl_stapling_verify for details.
Yes, done that as well. The ssl_trusted_certificate includes the intermediate and the server's own.
However, ...
>> For verification to work, the certificate of the server certificate issuer, the root certificate,
>> and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.
So, nginx wants the root certificate too, which is non-sense. Can't nginx get the root certificate by itself?