* Matthew Seaman <matthew at FreeBSD.org> [160618 11:21]: > Even so, the option used to be off by default: the change to 'on by > default' was made almost exactly a year ago, and there have been > several changes to the list of certs since, so not having the symlink > in place indicates either that you haven't updated your ports > recently, or that you've specifically chosen not to enable the > symlink. In which case you wouldn't have been able to validate the > previous cert either. > > There really is no excuse for not updating the ca_root_nss port > immediately there are updates available. Otherwise you can end up > trusting certificates that have since been shown to be less than > trustworthy. > > That you couldn't verify the cert is not a bug in FreeBSD, but a > configuration problem in your own system. Not having the right > fingerprint in the docs certainly is a bug which I'm sure will be > addressed soon. Thanks for the warnings, Matthew. In my case, the symlink was in place in all the relevant jails, just not on the underlying system, which pre-dated the config change and communicated only with svn.freebsd.org to update the src and ports trees daily. That key had been manually verified long ago. I moved the bug report to documentation as soon as I realized that my lack of a symlink was at fault. Hope this helps, Ben