You can also try this:
- Downgrade the crypto policies.
- Regenerate the keys to 2048+ bit, both auth and hostid.
- Regenerate the cert with the SHA-256 signature algorithm.
If nothing helps, they likely dropped the relevant piece of code.
See also: Changes/OpenSSLDistrustSHA1SigVer - Fedora Project Wiki