httpd(8) does not append valid OCSP tickets

[martian]

>Synopsis:      httpd(8) does not append valid OCSP tickets 
             >Category:      system 
                                         >Environment:
        System:  OpenBSD 6.1
        Details: OpenBSD 6.1 (GENERIC) #19: Sat Apr  1 13:42:46 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
        Architecture: OpenBSD.amd64
        Machine     : amd64
>Description:
        Attempting to use the ocsp tls option in httpd.conf(5) results
        in an invalid OCSP response. Multiple clients generate an error,
        including in base nc(1) and packages Firefox.
>How-To-Repeat:
        First create a valid OCSP response ticket with ocspcheck(1)     
        including the -N flag as in this case LetsEncrypt OCSP
        responders appear to not support nonces.

        # ocspcheck -N -o ocsp.der /foo/bar/xxxx.fullchain.pem

        Download the relevant CA bundle to verify the OCSP response
        ticket to ensure that ocspcheck(1) is generating a valid ticket

	# ftp -o ca.pem 
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

        Verify OCSP ticket with ocsptool(1) from GNUtls port (may be    
        possible with in base openssl(1) but I couldnt decipher the
        relevant manpage section.)

        # ocsptool -e --no-nonce --load-signer ca.pem --load-response ocsp.der
        Verifying OCSP Response: Success.

        Configure httpd(8) with an appropriate httpd.conf(5) that has
        the ocsp option enabled.

        # cat /etc/httpd.conf
        server "xxxx.com" {
                listen on * tls port 443
                tls {
                        certificate "/foo/bar/xxxx.fullchain.pem"
                        key "/foo/bar/xxxx.key"
                        ocsp "/foo/bar/ocsp.der"
                }
        }

        Start httpd(8) (may be reaching into overly explict territory
        here :-) )

        # rcctl start httpd

        Attempt to connect with nc(1):

        # nc -zvc xxxx.com 443
        Connection to xxxx.com 443 port [tcp/https] succeeded!
        nc: tls handshake failed (ocsp verify failed: no result for cert)

        Firefox gives a similar error:

        An error occurred during a connection to xxxx.com. The OCSP
        response does not include a status for the certificate being
        verified. Error code:
        MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING

        Both work fine without the tls ocsp option in httpd.conf(5)

        Could this be related to the -N flag in ocspcheck(1)? Does
        httpd(8) expect a nonce?

>Fix:
        Unknown, no idea how to make this work properly.