# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/ca_stapling.pem;

ca_stapling.pem should contain (from top to bottom) intermediate cert> root cert. Otherwise you might get an error like:

2021/10/26 15:46:04 [error] 22172#22172: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:self signed certificate in certificate chain) while requesting certificate status, responder: ocsp.starfieldtech.com, peer: 192.xx.xx.xx:80, certificate: "/etc/nginx/certs/yourfullcert.crt"

This shouldn't however be an issue with Letsencrypt certificates as in there you shouldn't need the ssl_trusted_certificate directive.

You can test on https://www.ssllabs.com/ or like this:

echo QUIT | openssl s_client -servername yourdomain.com:443 -connect youripordomain:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

It should return the response data.

• Debian 10
• nginx/1.21.3

• Openssl commands

• http://nginx.org/patches/attic/ocsp-stapling/README.txt
• https://www.mybluelinux.com/ocsp-stapling-on-nginx-and-apache-webserver/
• https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx