Question
At 02:00 UTC a growing fraction of clients start failing TLS to your public API with 'unable to get local issuer certificate' / 'certificate verify failed', yet your leaf certificate was renewed last month and openssl shows it valid for 300+ days. Curl from your bastion (which has the full chain in its trust store) succeeds, but mobile clients and some partners' strict validators fail. Dashboards: handshake-failure rate climbing from 0% to ~35% over an hour, correlated with no deploy. `openssl s_client -showcerts` from an outside host shows the server returns leaf + one intermediate; the intermediate's notAfter is *yesterday*. How do you triage and mitigate?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.