Has the SSL Inspection Chain changed this summer?

We have been having a lot more SSL inspection issues since this summer. I was able to install some apps in early june on my PC without issue but the exact same app no longer installs since July. I am trying to nail down the cause. Most of the apps are python based. It appears that the ssl chain now includes more intermediate certificates than I remember in the past. One is short lived too which makes it nearly impossible to try to maintain a root ca file. The CA file available for download from the zscaler portal only has 1 root and no intermediate CAs. It seems that python and some other apps require the full chain to be installed in a local ca certs file as they don’t appear to support AIA fetching. I don’t wish to exclude all these apps from SSL inspection so I am looking for a better workaround.