diff --git a/nss-tests-paypal-certs-v2.patch b/nss-tests-paypal-certs-v2.patch
new file mode 100644
index 0000000..8f37f8c
--- /dev/null
+++ b/nss-tests-paypal-certs-v2.patch
@@ -0,0 +1,29 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1541595734 -3600
+#      Wed Nov 07 14:02:14 2018 +0100
+# Node ID 19fd907784e38a5febb54588353368af91b12551
+# Parent  3b79af0fa294b4b1c009c1c0b659bb72b4d2c1c8
+Bug 1505317, update PayPal test certs
+
+diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg
+--- a/tests/chains/scenarios/realcerts.cfg
++++ b/tests/chains/scenarios/realcerts.cfg
+@@ -21,7 +21,7 @@ verify TestUser51:x
+   result pass
+ 
+ verify PayPalEE:x
+-  policy OID.2.16.840.1.114412.1.1 
++  policy OID.2.16.840.1.114412.2.1 
+   result pass
+ 
+ verify BrAirWaysBadSig:x
+diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst
+--- a/tests/libpkix/vfychain_test.lst
++++ b/tests/libpkix/vfychain_test.lst
+@@ -1,4 +1,4 @@
+ # Status | Leaf Cert | Policies | Others(undef)
+ 0 TestUser50 undef
+ 0 TestUser51 undef
+-0 PayPalEE OID.2.16.840.1.114412.1.1
++0 PayPalEE OID.2.16.840.1.114412.2.1
diff --git a/nss.spec b/nss.spec
index 1b27d8f..3a4e248 100644
--- a/nss.spec
+++ b/nss.spec
@@ -18,7 +18,7 @@ Name:             nss
 Version:          %{nss_version}
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          3%{?dist}
+Release:          4%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -61,6 +61,8 @@ Source25:         key3.db.xml
 Source26:         key4.db.xml
 Source27:         secmod.db.xml
 Source28:         nss-p11-kit.config
+Source29:         PayPalICA.cert
+Source30:         PayPalEE.cert
 
 Patch3:           renegotiate-transitional.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
@@ -84,6 +86,8 @@ Patch50:          iquote.patch
 # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 Patch62: nss-skip-util-gtest.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1505317
+Patch63:          nss-tests-paypal-certs-v2.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -163,6 +167,8 @@ low level services.
 %patch58 -p0 -b .1185708_3des
 pushd nss
 %patch62 -p1 -b .skip_util_gtest
+%patch63 -p1 -b .paypal-certs
+cp %{SOURCE29} %{SOURCE30} tests/libpkix/certs
 popd
 
 #########################################################
@@ -744,6 +750,9 @@ update-crypto-policies
 
 
 %changelog
+* Wed Nov 14 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-4
+- Fix FTBFS with expired test certs
+
 * Thu Sep 13 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-3
 - Fix LDFLAGS injection
 
diff --git a/sources b/sources
index bc02822..c45fce5 100644
--- a/sources
+++ b/sources
@@ -4,3 +4,5 @@ SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60b
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
 SHA512 (nss-3.39.tar.gz) = 16358c2d8660ca301410b1d39b2eae64fe2ebbbfab797872410e5fcc67f802ef48f4e362edeecb0591626c77013537019094a6a5dfc8d24487b6b6e54564da8f
+SHA512 (PayPalEE.cert) = 602518b8476b40dd241879923a36a433f3220eb28a8c4f7d941131def6e3d00b01d92050ab498e2a08763b02c3c4709855de0ee23a0053d26f4fa9f9f33aaad3
+SHA512 (PayPalICA.cert) = 013795ebb3f13a1cbd5d9d82eef2f439852e461200f12df9790d0b1d63863dc7755af378ea4758f4c8a3a619dfd2d0d43a59da77553caed57611815d6263946b