ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.
From what i see the servers have both chains. PaloAlto behavior is one of the following: 1 - It checks if any expired on the server and block no matter if one is good. 2 - It only check the first one(expired) and doesn't even check the second one. I agree with you that it should be fixed but looks like its more a code change then a certificate chain issue. The article that you posted previously shows that clearly on option 2. Someone was able to reboot firewall just to validate if its not a cache or something like?
... View more