Has the SSL Inspection Chain changed this summer?

We have been having a lot more SSL inspection issues since this summer. I was able to install some apps in early june on my PC without issue but the exact same app no longer installs since July. I am trying to nail down the cause. Most of the apps are python based. It appears that the ssl chain now includes more intermediate certificates than I remember in the past. One is short lived too which makes it nearly impossible to try to maintain a root ca file. The CA file available for download from the zscaler portal only has 1 root and no intermediate CAs. It seems that python and some other apps require the full chain to be installed in a local ca certs file as they don’t appear to support AIA fetching. I don’t wish to exclude all these apps from SSL inspection so I am looking for a better workaround.

I also notice we have changed our TLS certificate signing process, with what looks like additional Intermediate CA’s and short lived (14 days) certificates.

A customer is concerned about the length of time the certificate is valid for and wants some official wording on our certificate management.

I just thought I would follow up since I can’t delete my original post. The actual issue I had seems to be related to the roots.pem file I was using. It somehow got corrupted even though the timestamp did not indicate the file had been modified since the problem started occurring. I generated a new roots file with the zscaler cert added in and set the env variable SSL_CERT_FILE to reference it and all my python issues went away. I guess it is also possible Zscaler fixed something on their end as this whole thing started out of the blue for me without any apparent changes on my end.