Issue OCSP Stapling seems not to work

[Physicus]

Hello,

I have a problem with the SSL It! option for OCSP stapling. It seems not to work.

I am using Plesk Obsidian v18.0.37_build1800210809.18 os_Ubuntu 18.04 (upgraded from Onyx 17.8) with german language. Also I use apache http2 and nginx reverse proxy.

For a domain (website) on my server I have SSL with a Let's Encrypt certificate already in use and it works fine.

Now I tried to use OCSP-Stapling for this domain. For doing this I went to "Websites & Domains" -> <my domain> -> "SSL/TLS certificates" and switched on the Option "OCSP-Stapling" and ordered the new Let's Encrypt certificate via the SLL It! extension. But after the new certificate has been installed there was no OCSP-Stapling working!

In the file /var/www/vhosts/system/<my domain>/conf/nginx.conf there is written (like expected):

#OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;

But in the generated CSR (certification request) there is nothing included for OCSP-Stapling and therefore also the certificate has no extension for OCSP.

It looks like switching on OCSP-Stapling in Plesk has no effect!

Have I missed something? I appreciate any help in this subject - many thanks!

 

[Physicus]

I found out the reason for this myself:
To check if OCSP is enabled, I clicked on the SSL Lab Test link provided on the Plesk page (SSL/TLS certificate). However, this performs the test with <domain> and not with www.<domain>! OCSP seems to be not supported with <domain>, but only with www.<domain>. After I now called the test page of SSL-Labs itself and entered www.<domain> for testing, it now outputs "OCSP stapling Yes"

BUT: I still have one question for the experts here:
How can I set the "OCSP Must Staple" flag?

Thanks for any hints in advance!