@pfg and @lulu are correct: You need to set the ssl_trusted_certificate
to chain.pem
for OCSP stapling to work. Also bear in mind that Nginx lazy-loads OCSP responses. So the first request will not have a stapled response, but subsequent requests will.
I’ve got some example configs in https://github.com/jsha/ocsp-stapling-examples, but they are essentially the same as yours.