My SSL client certificate expired a few days ago, and I renewed it (created a new one) at cacert.org. Visiting my feed reader instance and confirming login with the client certificate, I got an error:
ssl_error_certificate_unknown_alertFirefox 38.0
and
Certificate-based authentication failed ERR_BAD_SSL_CLIENT_AUTH_CERTChromium 41.0.2272.76
The apache error log did not show anything, and the access log didn't even show the requests the browsers made.
Wireshark
As always, Wireshark helped me understand what was going on.
The data I got from wireshark during the SSL handshake were:
TLSv1.2 Certificate, Client Key Exchange, Certificate Verify TLSv1.2 Alert (Level: Fatal, Description: Certificate Unknown) (Code 46)
This alone does not say much; the corresponding RFC says about Code 46:
certificate_unknown Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable.
Looking deeper into wireshark's network log showed that the client certificate was issued by the CAcert class 3 certificate. It is not the root CA certificate, but an intermediate certificate which itself is signed by the CAcert class 1 root certificate.
The trust chain thus was the following:
CAcert class 1 root >> CAcert class 3 >> my client certificate
As I described in my SSL client cert server configuration article , you have to tell Apache how deep the trust chain may be with the SSLVerifyDepth setting.
My server had a setting of 1, while my new client certificate requires 2. After changing that and restarting apache, it worked again in all browsers.