hi sergio,

test with selfsign if i create selfsign there is no problem, because no chain no ocsp_uri inside ther cert.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~$ openssl s_client -showcerts -connect localhorst.org:443

:~$ vim localhorst.org.crt
-----BEGIN CERTIFICATE-----
MIIGXTCCBUWgAwIBAgISBCNdJoHGg0NSqEXm0XRZadzOMA0GCSqGSIb3DQEBCwUA
[...]
aW0N0xphYg5wtFU6uggKYxYBVRoqhn0D264eEYOeQt9MmHy2cD2y3MfB7OE4xT12
xA==
-----END CERTIFICATE-----


:~$ openssl x509 -in localhorst.org.crt -noout -ocsp_uri
http://r3.o.lencr.org

the ocsp_uri is comming from the lets encryt CA.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

when i am using selfsign. i create it in that way

SERVER=own.localhorst.org
openssl genrsa -out $SERVER.nopasskey 4096
openssl req -new -key $SERVER.nopasskey -out $SERVER.csr
openssl x509 -req -days 365 -in $SERVER.csr -signkey $SERVER.nopasskey -out $SERVER.crt

:~$ openssl x509 -in own.localhorst.org.crt -noout -ocsp_uri
-> no outlay 

:~$ openssl x509 -text -in own.localhorst.org.crt
    Issuer: C = DE, ST = NRW, L = Cologne, O = localhorst, OU = localhorst, CN = own.localhorst.org
   Subject: C = DE, ST = NRW, L = Cologne, O = localhorst, OU = localhorst, CN = own.localhorst.org

-> no chain

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# vim /etc/hosts
127.0.0.1 proxy.localhorst.org
127.0.0.2 own.localhorst.org

:~# sh /usr/share/doc/apache2/examples/setup-instance own
:~# sh /usr/share/doc/apache2/examples/setup-instance proxy

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

i create a https apache

:~$ vim /etc/apache2-own/sites-enabled/own.conf
<VirtualHost 127.0.0.2:443>
  ServerName own.localhorst.org

  SSLEngine On
  SSLCertificateFile /etc/apache2-own/ssl/own.localhorst.org.crt
  SSLCertificateKeyFile /etc/apache2-own/ssl/own.localhorst.org.nopasskey

  DocumentRoot /var/www/html-own

  <Directory /var/www/html-own>
    DirectoryIndex index.html
    Options -Indexes
    AllowOverride None
    Require all granted
  </Directory>

  #LogLevel info ssl:warn

  ErrorLog ${APACHE_LOG_DIR}/own_error.log
  CustomLog ${APACHE_LOG_DIR}/own_access.log combined
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

-  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -  -

:~# mkdir /var/www/html-own
:~# vim /var/www/html-own/index.html
own


:~# curl -k https://own.localhorst.org
own

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

and a proxy apache

:~# vim /etc/apache2-proxy/sites-enabled/000-default.conf
<VirtualHost 127.0.0.1:80>
    ServerName proxy.localhorst.org

    ProxyPreserveHost Off
    ProxyRequests Off

    SSLProxyEngine On
    SSLProxyVerify require
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On
    SSLProxyVerifyDepth 0
    SSLProxyCACertificateFile /etc/apache2-own/ssl/own.localhorst.org.crt
    SSLProxyCipherSuite ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384
    SSLProxyProtocol -all +TLSv1.2

    ProxyPass / https://own.localhorst.org/

    LogLevel debug
    CustomLog ${APACHE_LOG_DIR}/localhorst_access.log common
</VirtualHost>


:~# curl http://proxy.localhorst.org
own


conclusion so far with self sign no ocsp entry and no chain there is no
problem.

-------------------------------------------------------------------------

i tryed out a easy way with entrys in

:~# vim /etc/ssl/openssl.cnf
[...]
authorityInfoAccess=OCSP;URI:http://r3.o.lencr.org/
[...]

on severall "places" to get a ocsp_uri inside the self sign cert created like above.
but with no luck.

to create a complete rootCA with working ocsp responder no idea so far.

regard horst