Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
I would reach out to the service provider and ask them about this on their server:
"Having cross-signatures means that each of our RSA intermediates has two certificates representing the same signing key. One is signed by DST Root CA X3 and the other is signed by ISRG Root X1. The easiest way to distinguish the two is by looking at their Issuer field.
When configuring a web server, the server operator configures not only the end-entity certificate, but also a list of intermediates to help browsers verify that the end-entity certificate has a trust chain leading to a trusted root certificate. Almost all server operators will choose to serve a chain including the intermediate certificate with Subject “R3” and Issuer “ISRG Root X1”. The recommended Let’s Encrypt client software, Certbot, will make this configuration seamlessly."
The DST root is allegedly expiring and being retired (haven't verified this myself), cross-signing isn't something the networking teams adopted at scale, so in the event you don't have the full chain of certificates in your PAN-OS store (please go verify), the service will always show as unreachable as it will never present as valid because the firewall sees an expired intermediate when there's a valid co-signed path in parallel where the trust store chain lookup didn't follow. Same is true of any device without all certificates (browsers, servers, etc.).
I've also attached a screenshot of which browsers (mixed bag) support cross-signing natively as well. Ultimately, decryption is hard but I think your answer lies in ensuring a full certificate chain is fully imported, trusted, etc.
I'm not convinced it's a remote service, nor am I unconvinced it's the firewall, in either case hope this context helps.
