OCSP stapling only partial ?

Hi,
I’m really new with ocsp stapling.

I activated it on our website.
Before:
https://www.webpagetest.org/result/190719_EY_1435954110ba83a6cfc146dbd8402743/
After:
https://www.webpagetest.org/result/190718_1A_9ef6f87704f1d2ef6033c2568b7bd1e2/

Before we had 2 ocsp calls but it still remain one call to http://ocsp.usertrust.com

Is it normal ?
Maybe my apache configuration is not ok ?

SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt SSLStaplingCache shmcb:/tmp/stapling_cache(128000) SSLUseStapling on

[code]# echo QUIT | openssl s_client -servername www.sutunam.com -connect www.sutunam.com:443 -status 2> /dev/null | grep -A 17 ‘OCSP response:’ | grep -B 17 ‘Next Update’
OCSP response:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 2C69FF80C98790AE34E1B4E74C93859940E9A7B2
Produced At: Jul 18 07:05:04 2019 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: BCDE91268256135DFC85EFC392F9189345669D92
Issuer Key Hash: 2C69FF80C98790AE34E1B4E74C93859940E9A7B2
Serial Number: BFDA66FABBB25F667729D64937F5D7C1
Cert Status: good
This Update: Jul 18 07:05:04 2019 GMT
Next Update: Jul 22 07:05:04 2019 GMT[/code]

I was thinking once activated there will be no more ocsp call :slight_smile:

The certificate change is leaf (sutunam.com) > intermediary (sectigo) > root (User Trust)

In this case it looks like the intermediary cert from sectigo that’s not being stapled, which is pretty common for digicert (which is who sectigo are) EV certificates

If you examine the cert chain in Chrome or Safari, you’ll see the OCSP end point for the intermediary certificate matches the request you’re seeing