See https://gitlab.com/redhat-crypto/fedora-crypto-policies for details.
Reported by darix and also my own audit.log - the actual denial was for /usr/share/crypto-policies/DEFAULT/openssl.txt.
(I'm aware that the crypto policies are not really certificates, but since they are used by several crypto libraries, ssl_certs is probably the best place for them even if the filename doesn't match.)
This just appeared in openSUSE Tumbleweed, therefore I propose this patch for 3.0 and master.