if a symlink (for instance in the certificate store, but affects other stuff as well) has the wrong permissions, freebsd-update IDS will output nonsensical errors: freebsd-update IDS ... /etc/ssl/blacklisted/dc45b0bd.0 is a symlink, but should be a /etc/ssl/blacklisted/ee1365c0.0 is a symlink, but should be a /etc/ssl/blacklisted/f90208f7.0 is a symlink, but should be a ... This rather suggests that those items should not be symlinks when in fact it is the permissions that are incorrect. Steps to reproduce: symlinks in /etc/ssl/blacklisted/ are supposed to have permissions of 755. Let's deviate from that expectation: chmod o-rwx /etc/ssl/blacklisted/* and then run freebsd-update IDS PS: I cam across this because "certctl rehash" apparently obeys changes to umask in login.conf. I'll create an additional PR for that (assuming that information about blacklisted certs should indeed be readable by world).
for the "certctl rehash" issue, see bug 261330