Ssl – AH01896: Unable to determine list of acceptable CA certificates for client authentication in Apache v2.4 SSLCACertificatePath directive

Great! So just to be clear, you were at the point where the error was SSL_ERROR_HANDSHAKE_FAILURE_ALERT. One nice way to investigate is with

openssl s_client -state -debug -showcerts -verify 0 -connect example.com:443

(and all sorts of useful options) and you were helpful enough to have provided the actual server name.

Handshake error is caused by, well, an error during the SSL / TLS handshake. We got the certificate just fine, which led me to assume that the problem was either something failing in response to CertificateRequest from the server, or something funky with the cipher suite. The latter problem has its own set of error messages now that I think about it more. Firefox's NSS and SSL Error Codes is handy here.

SSLVerifyClient require in the Apache configuration will indeed require that the client present a valid certificate to authenticate to the server, which was the problem as you confirm.

I found the error. It was because I am using a script to setup the certificates, and one of the steps I am performing is apache2ctl configtest. The error was coming from this command, and not from apache restart, which was what was misleading me. Since I was running the apache2ctl command as normal user, it had no access the the keyfiles, and thus the error message.

Facit: make sure all your apache commands are run with sudo, even the ones which are only intended for syntax verification (apache2ctl), since they alse need access to the keys.