Here is the symptom that I saw. I guess these steps can be repeated for testing/debug, (though haven't confirm it myself)

• Install istio without global mTLS.
• Start httpbin demo with service annotation to enable mTLS (auth.istio.io/8000: MUTUAL_TLS)
• Start another demo (sleep) to use for testing.
• Everything looks good initially (curl from sleep pod success, certificate have correct validation window).
• Leave cluster alone for a while (few cycles or cert rotation threshold).
• Come back, chain certificate seems haven't been updated for a while. Below is the command, for quick reference. Curl from sleep pod return with 503, as expected when ssl connection cannot be made.
  kubectl exec $(kubectl get pod -l app=httpbin -o jsonpath={.items[0].metadata.name}) -c istio-proxy -- cat /etc/certs/cert-chain.pem | openssl x509 -text -noout | grep Validity -A 2

Note: not sure if the problem also exists if mTLS is enable globally (I hope not); I just haven't been working with that environment setup.