Indeed, removing the -sha512 flag fixed this. Thanks.
However, if I move the -sha512 flag to the end of the line, it also works. Like so
$ openssl ocsp -noverify -issuer chain.pem -cert cert.pem -url http://ocsp.int-x1.letsencrypt.org/ -header Host ocsp.int-x1.letsencrypt.org -sha512
I will investigate a bit more. My guess it that the flag isn’t even honored at the end of the line.
Edit: Technically, if the OCSP response says this:
This Update: Dec 25 20:00:00 2015 GMT
Next Update: Jan 1 20:00:00 2016 GMT
would it be OK to say that any further OCSP requests before 2016-01-01 20:00 are essentially useless? So I can stretch the update interval beyond one day, up to a week? I just want to find the best balance.