On certain newer implementations of openssl, such as the one currently on Debian's testing branch, SHA-1 as the digest algorithm in certificates is rejected by the default OpenSSL config because it is deprecated. There is a workaround to fix it, but it seems to be a not-very-safe thing to do for anything else on the system using OpenSSL, and it would probably just be better to update the certificates we use for testing to SHA-256 instead.
This causes test failures. I discovered when testing kmip.js on my system, which failed with
cannot read certificate file: src/mongo/db/modules/enterprise/jstests/encryptdb/libs/client_password_protected.pem error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
See https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 for context