There are lots of posts here about OCSP stapling with Apache httpd (cf. Apache - robust OCSP stapling config, OCSP stapling advantages and disadvantages and What if Let's Encrypt goes down? - OCSP Stapling just to name a few), however, all posts are closed now. There also is a blog post describing the problematic stapling implementation of Apache httpd (https://blog.hboeck.de/archives/886-The-Problem-with-OCSP-Stapling-and-Must-Staple-and-why-Certificate-Revocation-is-still-broken.html). Main problems are that OCSP responses are fetched synchrinously and, thus, introduce a delay (especialyl if the OSCP responder goes down or is slow). This is especially a problem if OCSP must staple is used.
TLDR: Today I found a nice small project (much less dependencies compared to https://github.com/greenhost/stapled which is mainly targetting nginx and haproxy) which provides a workaround for these issues.
The project is https://github.com/philfry/ocsp_proxy. It provides a small HTTP proxy which caches (in redis) and also automatically refreshes OCSP responses periodically. This way there is no cold-start problem of Apache httpd when the cache is still empty and also there are OCSP responses cached in case the OCSP server goes down or is a slow responder.
A working configuration is:
<IfModule mod_ssl.c> SSLUseStapling on SSLStaplingResponderTimeout 4 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) SSLStaplingErrorCacheTimeout 60 # for ocsp_proxy, https://github.com/philfry/ocsp_proxy/ SSLStaplingStandardCacheTimeout 3600 SSLOCSPProxyURL http://127.0.0.1:8888/ </IfModule>
I hope this is helpful for you.