The issue is that Google did not communicate this properly.<p>The only communication about StartSSL is here: <a href="https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html?m=1" rel="nofollow">https://security.googleblog.com/2016/10/distrusting-wosign-a...</a> which says:<p>----8<------
Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. Certificates issued before this date may continue to be trusted, for a time, if they comply with the Certificate Transparency in Chrome policy or are issued to a limited set of domains known to be customers of WoSign and StartCom.
---8<-----<p>Apparently "for a time" means Chrome 57 without any warning. Which I think is way too careless for dealing with such matters.
We spent a good hour or two when Chrome 56 came out trying to work out why our .eu domain didn't work but the .com did. Even though it was the same startssl cert on the same IP. Turned out our .eu wasn't popular enough to remain allowed even though it was our primary domain up until last year.<p>I had read the original blog post but my original understanding was that existing certificates would remain trusted and simply newer ones would not be. Hidden in the paragraph was the parts out then staring to distrust existing certificates. Very poor communication from Google
I disabled that CA in Firefox a while ago, and it occasionally prevents me visiting a site, it's quite widely used. Wonder if that'll become a common experience for Chrome users.