Just wanted to chime in. We are also seeing the problem on many websites. If you wireshark the traffic and filter tls.handshake.type==11 you can see the cross certificate(s) and its expiration( signedCertificate>validity>notAfter). Sometimes its USERTrust RSA Certification Authority, sometimes its AddTrust External CA Root, sometimes its both. Don't trust things like Chrome's dev tools to see the offending certs, you need to wireshark the traffic from a machine that is *not* being decrypted.
I'm either telling people to fix their websites or patiently waiting for 8.1.15 and hopes it fixes the issue.