OCSP stapling issue with Nginx

That’s just how Nginx works. If the worker process (I believe) doesn’t have an OCSP response cached, it doesn’t wait. It handles the connection without OCSP stapling, and fires off an OCSP request in the background.

The only web servers with reliable OCSP stapling implementations are, I think, Caddy and IIS.

Using OCSP stapling with anything else is unreliable or requires a lot of work, and you shouldn’t use must-staple.

(Nginx supports statically configuring OCSP responses to staple, so you could use an external daemon to manage them. But I don’t think anyone’s written one.)

(Certbot is working on one for Apache, though.)