Nginx with OCSP Stapling returns correct cert chain on one server, but no chain on another

So, I configured a simple site on a single server served by NGINX. The config is as follows:

server {
    listen 443;
    server_name my-server-name;
    ssl on;
    ssl_certificate /etc/nginx/ssl/my-cert.crt;
    ssl_certificate_key /etc/nginx/ssl/my-cert.key;
    ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_dhparam ssl/dhparam.pem;
    gzip off;
    resolver valid=300s;
    resolver_timeout 15s;

    location / {
        include uwsgi_params;
        uwsgi_pass unix:my.sock;

    access_log /var/log/nginx/access.log;
    error_log  /var/log/nginx/access.log;

Now, the ssl_certicificate is just the certificate for the server, no chain appended to it. The ssl_trusted_certificate certificate contains just the chain, but not the certificate for the server.

This config works. I can debug it (calling the service via openssl) and see that the chain is correct and trusted, and that OSCP stapling is working correctly. All good.


I had to create another server, this time with nginx-proxy (essentially a docker container running Nginx). I was able to get OCSP working pretty easily, but this time the chain wasn't being returned.

If I appended the chain to the ssl_certicificate then both the stapling and the chain were correct.

Now I have two working versions, and that's all well and good. What I can't figure out is why they seemingly work in different ways.

I'm not looking for workarounds, as I already have those. I just have an annoying gap in my knowledge that I'd like to fill up. Can anyone shed some light?