So it took me a while to figure out why OCSP Stapling wasn’t working on the server I’m building with Adam. I figured I’d write down what I found here to sort of cover my problems. This is by no means a comprehensive list or solution, just what I found worked for me.
It seems that for OCSP to work properly you need to include it in the default server block.
For whatever reason this wasn’t working alone for me, so I also added ssl_stapling on; to the http block in /etc/nginx/nginx.conf
Now OCSP seems to be working correctly on my other subdomains, this appears to be due to a limitation with openssl tests not allowing SNI.
You can test your own OCSP Stapling status using the following command:
openssl s_client -connect your.site:443 -tls1 -tlsextdebug -status
It appears that on the first load it’s not necessarily cached, so try running the command twice back to back to confirm whether you see:
OCSP response: no response sent
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: Oct 18 00:36:24 2014 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: FD9BEFA92F8BEBCE721B67BED87783E3 Cert Status: good This Update: Oct 18 00:36:24 2014 GMT Next Update: Oct 22 00:36:24 2014 GMT