A day ago, on Dec. 2nd at ~22:41 UTC I rewnewed a certificate of mine. The OCSP server though did not have the certificate status yet. This is a problem because the certificate has the "must-staple" extension, so clients will reject the certificate if there is no valid ocsp response. I tried fetching the new certificate's ocsp from the server and it took 30 minutes until the ocsp server had it.
Was there a known problem with the distributing new cert statuses to the ocsp server?
Is there a time window, that an client should wait between certificate issuance and expecting to make a successful ocsp fetch? Or should the ocsp servers have the information instantly?
A delayed ocsp status availability has been problematically here before (most people don't use must-staple certs and do not see those issues). I think letsencrypt needs to improve the processes there. I think actually for a certificate that has the must-staple extension the issued/signed certificate must only be made available to the acme client, if letsencrypt could make sure that the ocsp server(s) got the status for the new certificate. If you cannot ensure that the ocsp server(s) got the information, you should delay the reply to the acme client or let the issuance process fail. If you let the issuance process finish without the ocsp server being ready you are breaking the sites using the certs.