TL;DR OCSP stapling cannot reliably work with pure on-demand TLS. If you need OCSP stapling (recommended for production), pre-issue the certificate instead of generating it on-demand.
OCSP stapling is supported by Caddy webserver, BUT is not enabled by default in OpenPanel.
On-demand TLS generates certificates only when a client connects. Because the certificate is issued dynamically, Caddy cannot pre-fetch OCSP responses reliably. Let’s Encrypt requires OCSP stapling responses to be available at handshake time. With on-demand certificates, the OCSP response is often not ready yet, so you get: OCSP response: no response sent when testing:
# openssl s_client -connect pejcic.rs:443 -status
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R12
verify return:1
depth=0 CN = pejcic.rs
verify return:1
OCSP response: no response sent
---
To enable OCSP stapling in OpenPanel, edit the tls section in domain file or default templates:
# SSL (only when SSL certificate is requested)
tls {
on_demand
}
and replace it to:
tls you@example.com
restart the webserver:
docker restart caddy