this happened today:

i don't disagree with their approach at all, but since the change was designed to just work for newer clients, and since older clients are, well, older, and since the change happens on servers but it impacts their clients, it was hard to see this coming until it hit.

in my case the fix was easy—upgrade openssl and rebuild—but reading the threads about this change highlights how disruptive the expiration of a root certificate can be, especially as older clients, which may not be as easy to upgrade, proliferate.