I believe this is a result of no CA root store being installed by default.  Which I'm sure was a hotly debated topic and has been decided upon for noble reasons.

However, that decision causes ntpd, which *is* installed by default, to not grab the leap file because ietf.org is https.

The easy fix is to change the script to:
fetch --no-verify-peer https://www.ietf.org/timezones/data/leap-seconds.list

Not the most elegant, but the only option if root certs will not be available for a default package.

Suggest this patch:
$ diff -u rc.conf.orig rc.conf
--- rc.conf.orig	2018-05-31 19:56:39.243329000 +0000
+++ rc.conf	2018-05-31 19:57:39.598165000 +0000
@@ -4,5 +4,7 @@
 ifconfig_re0="DHCP"
 sshd_enable="YES"
 ntpd_enable="YES"
+# Allow default ntpd install to download leap file over SSL with no root cas installed
+ntp_leapfile_fetch_opts="--no-verify-peer"
 # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
 dumpdev="AUTO"

I haven't seen this error myself and I bet many users haven't as well.  My theory is that this is because we happen to have ca_root_nss installed via pkg (a.k.a. security/ca_root_nss in ports). This is a common dependency in many different packages.

ca_root_nss package is responsible for creating /usr/local/etc/ssl/cert.pem, which base system OpenSSL (libssl.so.8) reads/honours.  You can verify this with truss.

pkg info -l ca_root_nss will not show this file in its packaging list because of how ca_root_nss works.  Some part of the pkg/port creates a hard link of /usr/local/etc/ssl/cert.pem --> /usr/local/share/certs/ca-root-nss.crt, of which the latter *is* in the package list.  The pkg-message says it uses a symlink but this is false; see PR 228550 for details.

This is really part of a bigger problem that is the whole "base system" concept, but I don't want to get off-topic.  The --no-verify-peer kludge should be acceptable, though I would strongly suggest asking secteam@ first.