FF 31.1.0 ESR and Java is not accepting SSL cert (Thawte SSL123) with SHA-2 with RSA SHA-2 intermediate CA and SHA-2 Root.
(with SHA-1 Root it is ok.
Martin, do you have an example hostname where this can be observed?
No, our client moved back to RSA SHA-2 under SHA-1 Root (production server) I will ask him for screenshots.
Is the problem that the SHA2 roots are not in their trust stores?
Here are the screenshots
Yes, that seems like the SHA256 certificate is not in the browser's root store.
Your server probably isn't sending intermediate certificates.
Retrieving data ...