Why OCSP stapling on NGINX for "buypass" DV certs fails without explicit root declaration?

Solution 1:

Update

It turns out that OpenSSL does not correctly handle OCSP responses signed by a designated authority (not the issuer). Although RFC 6960 explicitly denotes that an OCSP response should be verified using only the issuer cert (which also certifies the designated authority), OpenSSL does not abide by this and requires you to explicitly include the root certificate. If you use the CLI this happens automatically (use a combination of -CAfile and -noCApath to verify this!).

Original answer

It took me a fairly long time to figure this out! The problem is not NGINX but OpenSSL. I have found out that if the the OCSP is signed by a designated responder (see RFC 6960), whose certificate is included in the OCSP response, OpenSSL fails to regard this additional certificate when verifying the response. I cannot exactly say why this problem does not arise when using the OpenSSL OCSP CLI (i.e., openssl ocsp -issuer x -cert y -url z).