Nginx requires a resolver
directive be set to use OCSP stapling.
For example:
resolver 127.0.0.1;
Due to the resolver’s obsolete, insecure design, i would advise being cautious about using remote resolvers, though OCSP verification more or less mitigates any security risk from cache poisoning the OCSP server.
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
If you don’t want to set resolver
, your other option is to disable OCSP stapling:
ssl_stapling off;