jsha: I agree with biker, you do a great job, no reason to apologise!
About the suboptimal ocsp handling of mod_ssl I also filed a apache bug report a while ago: https://bz.apache.org/bugzilla/show_bug.cgi?id=57121
Better values to set for Apache’s mod_ssl to mitigate the suboptimal handling of ocsp replies:
SSLStaplingReturnResponderErrors off
SSLStaplingResponderTimeout 4
SSLStaplingStandardCacheTimeout 172800
SSLStaplingErrorCacheTimeout 60
This updates valid ocsp resonses only every 48 hours and retries faster in case of erroneous ocsp replies. This helps for short outages but does not help in case the ocsp server is in a generic bad condition after the 48 hours are over though. In any case I currently would recommend those settings for every Apache setup with ocsp.