I use nginx 1.4.6 as it’s the Ubuntu 14.04LTS version. I’ve found errors in the logs due to inability to get the OCSP response quickly enough. Errors looked like this:
OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.int-x1.letsencrypt.org
My solution is to get the stapled file “offline” via a shell script cron job.
#!/bin/sh
SITE=$1
LEDIR=/etc/letsencrypt/live
DIR=$LEDIR/$SITE
HOST=ocsp.int-x1.letsencrypt.org
MTO=my-email@example.com
openssl ocsp -no_nonce \
-respout $DIR/ocsp.resp.new \
-issuer $DIR/chain.pem \
-verify_other $DIR/chain.pem \
-cert $DIR/cert.pem \
-url http://$HOST/ \
-header "HOST" "$HOST" > $DIR/ocsp-reply.txt 2>&1
if grep -q ": good" $DIR/ocsp-reply.txt; then
if cmp -s $DIR/ocsp.resp.new $DIR/ocsp.resp; then
rm $DIR/ocsp.resp.new
else
mv $DIR/ocsp.resp.new $DIR/ocsp.resp
service nginx reload > /dev/null
fi
else
cat $DIR/ocsp-reply.txt | mailx -s "OCSP error for $SITE" $MTO
fi
mv $DIR/ocsp-reply.txt $DIR/ocsp-reply-old.txt
Then, in the appropriate nginx site configuration file:
ssl_stapling on;
ssl_stapling_file /etc/letsencrypt/live/example.com/ocsp.resp;
and in the root crontab:
6 * * * * /etc/letsencrypt/get-ocsp.sh example.com
which refreshes it at 6 minutes past each hour.