I JUST (10:37 AM EDT, October 12) ran openssl on this, here's what it's saying: ===== >openssl s_client -connect rest.zuora.com:443 -showcerts CONNECTED(00000003) depth=3 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global CA G2 verify return:1 depth=0 C = US, ST = California, L = San Mateo, O = Zuora Inc., CN = WWW.ZUORA.COM verify return:1 ===== CA CERT: ===== >openssl x509 -text -in zs1 Certificate: Data: Version: 3 (0x2) Serial Number: 18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Validity Not Before: Nov 8 00:00:00 2006 GMT Not After : Jul 16 23:59:59 2036 GMT Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 ======= SERVER CERT: ======= >openssl x509 -text -in zs2 Certificate: Data: Version: 3 (0x2) Serial Number: 03:12:e3:19:35:0d:d4:16:2a:21:18:1a:56:7c:a2:5e Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=DigiCert Inc, CN=DigiCert Global CA G2 Validity Not Before: Dec 20 00:00:00 2017 GMT Not After : Dec 21 12:00:00 2018 GMT Subject: C=US, ST=California, L=San Mateo, O=Zuora Inc., CN=WWW.ZUORA.COM ===== That's not a Comodo CA cert at the root. That server certificate still expires in December. I dunno what else to do here except to say that "rest.zuora.com" doesn't have the new cert chain yet. It's the same situation for " api.zuora.com". Am I maybe just misunderstanding the scope of the environments affected in this certificate update?
... View more