So it isn’t just Google.
Sucks if you’re ordering your certificates through one of their intermediates, and being duped because of this.
… after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015.
Ouch.
The chain of trust is only as strong as its weakest link. Especially with Certificate Authorities.