Would you guys switch from CACert to Let's Encrypt so no more need for `--no-check-certificate`?
+1 on this. Additionally, ipv4.dyn.dns.he.net currently uses a cert for dyn.dns.he.net, which is clearly incorrect.
+1. Anything so that we're not bypassing security checks.
-1 on this. If you want to check the certificate, install CACert's root certificate.
(Personally, I don't understand how "Let's Encrypt" got into the lists... but then that could apply to most of the listed CAs.)
By the way... it looks like Let's Encrypt does not use a Let's Encrypt certificate. Should anyone?