My SSL client certificate expired a few days ago, and I renewed it (created a new one) at cacert.org. Visiting my feed reader instance and confirming login with the client certificate, I got an error:
The apache error log did not show anything, and the access log didn't even show the requests the browsers made.
The data I got from wireshark during the SSL handshake were:
TLSv1.2 Certificate, Client Key Exchange, Certificate Verify TLSv1.2 Alert (Level: Fatal, Description: Certificate Unknown) (Code 46)
certificate_unknown Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable.
Looking deeper into wireshark's network log showed that the client certificate was issued by the CAcert class 3 certificate. It is not the root CA certificate, but an intermediate certificate which itself is signed by the CAcert class 1 root certificate.
The trust chain thus was the following:
CAcert class 1 root >> CAcert class 3 >> my client certificate
My server had a setting of 1, while my new client certificate requires 2. After changing that and restarting apache, it worked again in all browsers.