Three packages depend directly on nss-certs: ldns, pypy3, and icedtea6.

This is a problem because certificates expire. When that happens, the
features of these programs that use X.509 certificates will stop
working. Instead, packages should look up certificates at run-time in
unversioned and well-known locations such as /etc/ssl/certs or via
environment variables like $SSL_CERT_DIR.

I'll send a patch removing the dependency from ldns.

pypy3 does not build anyways because its runpath cannot be successfully
validated, but I will investigate anyways after disabling the runpath
validator.

Icedtea6 is a very complex package. I assume it depends on the
certificates directly for a good reason, but I would still appreciate
some feedback on it.