tl;dr: Symantec have tried to implement a broken version of Certificate Transparency on their Certs when IETF have not finished the spec.
As such new Symantec certificates don't work in newer versions of Chrome.
Crazy but true.
Kudos to the site owner - clear and simple and authoritative explanation
(Although I see the hand of politics behind this. "Hey we really fucked up the Google.com certificates. The board insists we do what Google wants and implement full certificate transparency by June 30. And it took two hours to explain it to the board so I am not going back to explain that it's all changed - Just implement the most recent IETF draft. Then I can tell the board it's done. What's the worst that can happen!"
As such new Symantec certificates don't work in newer versions of Chrome.
Crazy but true.
Kudos to the site owner - clear and simple and authoritative explanation
(Although I see the hand of politics behind this. "Hey we really fucked up the Google.com certificates. The board insists we do what Google wants and implement full certificate transparency by June 30. And it took two hours to explain it to the board so I am not going back to explain that it's all changed - Just implement the most recent IETF draft. Then I can tell the board it's done. What's the worst that can happen!"
Oh ....)