Oh, just saw this reply.
Apparently, at the same time you were writing that, I was discovering the same thing on my side, about the “waiting for a second.” I tried issuing a bunch of certs and check OCSP in a loop (I know, I’m naughty, but it was in staging). My first tests slept 10 seconds between issuance and checking OCSP. No errors.
Sleeping 5 seconds, no errors.
Sleeping 1 second, no errors. (Probably would see some with more iterations, though.)
Sleeping 500ms or less, I get ‘unauthorized’ fairly often.
So you’re right, it seems the best thing to do is wait some time before stapling.
When I was finally able to reproduce the ‘unauthorized’ error, I had @xenolf try to reproduce it with the same program (modified from yours), and it worked fine for him, even though I kept getting ‘unauthorized’ over and over for the same cert, even 10 minutes later. I guess this is because Akamai is caching that result.
I’m still unclear why the error is ‘unauthorized’ but, then again, I don’t understand OCSP very well yet either
Thanks for your help! I’ll build some more redundancy logic into my code.