id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1830	OCSP must staple fails with multi-domain certificates	Sam Bull		"If using the same certificate across multiple server blocks (e.g. subdomains), and the certificate sets the must staple flag, then several server blocks end up inaccessible for long durations, for example, when using Let's Encrypt.

It seems that the current behaviour is to cache the OCSP responses related to each server block, meaning that these multiple server blocks, which are using the same cert, each manage the OCSP responses separately.

It also seems that Let's Encrypt only allows a request for OCSP staples from the same source once for a given period of time (maybe 1 hour).

Result: After starting/reloading Nginx, the first domain to be visited successfully gets the OCSP staple, but the other domains will be rejected and the browser will get a security error (for maybe 1 hour) until the CA timeout allows a second request to get through. (The long timeout also results in frequent blackouts over time with renewals, not just at startup).

Proposed solution: Cache OCSP staple responses per certificate, not per server block.

This completely destroys the functionality of OCSP must staple for multi-domain sites, making it impossible to use."	defect	closed	major		nginx-core	1.14.x	duplicate	ocsp, staple		Linux sam-server 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5 (2019-06-19) x86_64 GNU/Linux	"nginx version: nginx/1.14.2
built with OpenSSL 1.1.1a  20 Nov 2018 (running with OpenSSL 1.1.1c  28 May 2019)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-sWHVb6/nginx-1.14.2=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_gzip_static_module --without-http_browser_module --without-http_geo_module --without-http_limit_req_module --without-http_limit_conn_module --without-http_memcached_module --without-http_referer_module --without-http_split_clients_module --without-http_userid_module --add-dynamic-module=/build/nginx-sWHVb6/nginx-1.14.2/debian/modules/http-echo"