When logging in using CAC, users receive the error

<servername> didn't accept your login certificate, or one may not have been provided.

Try contacting the system admin.

ERR_BAD_SSL_CLIENT_AUTH_CERT

There were no changes in PAM, and no changes in the certificates in use.

PAM 4.2.0-4.2.3

The upgrade to 4.2.0 switched the Cryptoprovider from OpenSSL to WolfSSL. Initially this didn't cause a problem, but later on there were updates affecting the certificate chain and the WolfSSL build embedded in PAM tripped over what looked like an ambiguous chain. This is related to RFC 8446, where the following appears at https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2 : 

Note: Prior to TLS 1.3, "certificate_list" ordering required each certificate to certify the one immediately preceding it; however, some implementations allowed some flexibility.  Servers sometimes send both a current and deprecated intermediate for transitional purposes, and others are simply configured incorrectly, but these cases can nonetheless be validated properly.  For maximum compatibility, all implementations SHOULD be prepared to handle potentially extraneous certificates and arbitrary orderings from any TLS version, with the exception of the end-entity certificate which MUST be first.

The problem will be resolved in the upcoming 4.3 and 4.2.4 releases. Look for a reference to DE623079 in the release notes, once available. If you experience this problem on an affected release and an upgrade is not an option yet, open a case with PAM Support