Log the ssl certificate that apache is using for each SSL connection, for enhanced loging & debugging

mod_ssl exports a bunch of environment variables (see the list here), which can be used to log info about the certificate, for example, in a LogFormat directive like this:

LogFormat "cert_CN='%{SSL_SERVER_S_DN_CN}e', cert_expires='%{SSL_SERVER_V_END}e', vhost='%{Host}i', client='%h'" ssl_combined

However, before you start logging, be sure you check this article about expiring the DST Root CA X3 certificate. It is the one which signed the root CA of Let's Encrypt, and it has expired in September. However, the root CA of Let's Encrypt is accepted as a trusted CA in itself by virtually every system. For this, the expiration is not a problem, and the issued certificates continue to work, except for older systems using openssl version < 1.1.0, which does not stop the validation when a trusted CA found, but insists to check the whole chain (and fails).

If the system in question has an older openssl, you can do nothing about the problem on the server side, openssl should be upgraded on the client. If that is not an option, blacklisting the expired certificate helps.

Apache HTTPD's mod_ssl sets various environment variables, some of which could be used to identify the server certificate. For example, there are SSL_SERVER_CERT (a complete PEM-encoded cert), SSL_SERVER_S_DN (a DN of the subject), SSL_SERVER_M_SERIAL (a cert serial number).

You can use them in the logging configuration:

CustomLog "logs/ssl_request_log" "... %{SSL_SERVER_S_DN}x ..."

Read mod_ssl manual for details.