StartSSL reworked their homepage and some other stuff, which is why it now seems that sub.class1.server.ca.pem is unsupported.
They now provide new certificates, which must be included into the Apache configuration. The new certificate is called
1_root_bundle.crt
and provides all you need to complete the Chain of the certificates to enable trusted and secure communication
with your webserver.
Therefore, you have to use the new root_bundle.crt instead of the old sub.class1.server.ca.pem. These lines have to be changed in your Apache configuration:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLCertificateFile /etc/apache2/ssl/ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt