@SeanWrightSec@Scott_Helme They return the right cert (albeit expired) for www but not for the bare domain. Brilliant.
It's almost exactly like this is a good example of why @googlechromedev should not be eliding www, it's an incredibly common misconfiguration.