service(8) sets an empty environment via env -i when invoking rc.d files.
This is wrong, because it's not the same environment that init provides, which comes from the "daemon" login class in login.conf.
The practical upshot of this is that there is no way (short of modifying the scripts) to set environment variables that rc.d scripts might need, such as an HTTP_PROXY setting to allow "service ntpd onefetch" to work on a system behind a proxy.
Related but possibly less serious: when rc.subr invokes a command under a specified login class, it sets only the resource limits and not the environment.
add HTTP_PROXY=http\c//yourproxyhost\cport/ to the setenv= property of "default" or "daemon" in login.conf
then observe (from a host with no public connectivity)
# service ntpd onefetch
fetch: https://www.ietf.org/timezones/data/leap-seconds.list: Network is unreachable
CC'ing dteske@ and assigning to rc@
(In reply to Kyle Evans from comment #1)
Is this not in line with the similiar issue we are seeing about starting /etc/rc.d/* scripts from the command directly, rather than using the service(8) command? This was discussed heavily in https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235185.
The start of a concrete proposal to address this is here: https://reviews.freebsd.org/D21481