HTTPS: SSL client certificate unknown error

My SSL client certificate expired a few days ago, and I renewed it (created a new one) at cacert.org. Visiting my feed reader instance and confirming login with the client certificate, I got an error:

ssl_error_certificate_unknown_alert

Firefox 38.0

and

Certificate-based authentication failed
ERR_BAD_SSL_CLIENT_AUTH_CERT

Chromium 41.0.2272.76

The apache error log did not show anything, and the access log didn't even show the requests the browsers made.

Wireshark

As always, Wireshark helped me understand what was going on.

The data I got from wireshark during the SSL handshake were:

TLSv1.2 Certificate, Client Key Exchange, Certificate Verify
TLSv1.2 Alert (Level: Fatal, Description: Certificate Unknown) (Code 46)

This alone does not say much; the corresponding RFC says about Code 46:

certificate_unknown
  Some other (unspecified) issue arose in processing the
  certificate, rendering it unacceptable.

Looking deeper into wireshark's network log showed that the client certificate was issued by the CAcert class 3 certificate. It is not the root CA certificate, but an intermediate certificate which itself is signed by the CAcert class 1 root certificate.

The trust chain thus was the following:

CAcert class 1 root >> CAcert class 3 >> my client certificate

As I described in my SSL client cert server configuration article , you have to tell Apache how deep the trust chain may be with the SSLVerifyDepth setting.

My server had a setting of 1, while my new client certificate requires 2. After changing that and restarting apache, it worked again in all browsers.

Written by Christian Weiske.

Comments? Please send an e-mail.