ca_root_nss version 3.53 still contains the expired "AddTrust External CA root" and "AddTrust Class 1 CA Root". As far as I understand it, this shouldn't be a problem for openssl 1.1 which automatically builds a new required chain, but on 11.3-RELEASE-p9, which uses openssl 1.0, validation will fail.
If you're looking for en example certificate that exhibits this problem: rtvutrecht dot nl
My solution was to remove the expired certificates from /usr/local/share/certs/ca-root-nss.crt
I'm not sure whether this should be fixed at the FreeBSD end or the Mozilla end, I'll leave that to the maintainer to decide.
Certs were removed in NSS 3.54