When using a bad internet connection I frequently get OCSP errors when trying to visit the forum. It seems my phone has trouble contacting the OCSP server of Comodo at such times, or the browser (Icecat) is doing some weird things with caching on an OCSP failure since the error often persists for a while, even when the connection has improved.
As I see it, enabling OCSP stapling would improve the performance in such cases and work around browser issues like these. I am maintaining Linux web servers myself so I know this feature is quite easy to enable in most web servers.
It would be nice if you consider this quick fix for the issues I ocasionally have.
I have had this frequently with bad internet connections, for some months already. It was always the same OCSP error (if I encounter it again soon I can make a screenshot), I have never seen CRL issues.
Just to clarify: Both OCSP and CRL seem to work fine. But according to https://www.ssllabs.com/ssltest/analyze.html?d=forum.fairphone.com OCSP stapling is currently not enabled, meaning your nginx does not include a recent OCSP statement in the SSL negotiation but the browser has to get it from Comodo.
I think even if there are no OCSP errors it makes sense to enable OCSP stapling. This will save traffic, make the forum a bit more independent from Comodo problems and solve the privacy issues mentioned by @_Chris.
Following cipherli.st you only have to add this to your config:
Yes in a normal nginx config these lines would be do the trick. But we are running a different kind of setup. I need to check if I can set this up. If so I will let you all know.