Zscaler Root CA disappeared from rewritten cert chains

Since the EST morning of 2020-11-30, some of our tools fail to accept the Zscaler-rewritten cert chains. Using the “openssl s_client -connect SITE:443 -showcerts”, I could see that the self-signed Zscaler Root CA was missing from the chain (i.e. the chain started with a Zscaler intermediate cert signed by the Zscaler Root CA). I filed a support case 02644981 but received no confirmation (I was not even registered).

This is urgent as we have many builds using an external SaaS site for component analysis.

Never mind, our tool was never made aware of Zscaler, so it broke only due to some outgoing routing change that started rewriting the traffic. It appears many TLS implementations are fine with the absence of the root CA because they can just de-reference it from the signatory of the intermediate cert.