From a0b6ba9b8d0f724020156b02a303e442a6bc4d49 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Oliveirinha?= <joliveirinha@cloudflare.com>
Date: Mon, 19 Sep 2022 12:34:26 +0100
Subject: [PATCH] TUN-6779: cloudflared should also use the root CAs from
 system pool to validate edge certificate

---
 tlsconfig/certreloader.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tlsconfig/certreloader.go b/tlsconfig/certreloader.go
index 6394fbac..7c0514b0 100644
--- a/tlsconfig/certreloader.go
+++ b/tlsconfig/certreloader.go
@@ -131,7 +131,10 @@ func CreateTunnelConfig(c *cli.Context, serverName string) (*tls.Config, error)
 	}
 
 	if tlsConfig.RootCAs == nil {
-		rootCAPool := x509.NewCertPool()
+		rootCAPool, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, errors.Wrap(err, "unable to get x509 system cert pool")
+		}
 		cfRootCA, err := GetCloudflareRootCA()
 		if err != nil {
 			return nil, errors.Wrap(err, "could not append Cloudflare Root CAs to cloudflared certificate pool")