Add all root certificates by default on bootstrap methods.

2019-01-07 18:55:40 -08:00 · 2019-01-07 18:55:40 -08:00 · 6d3e8ed93c
commit 6d3e8ed93c
parent d296cf95a9
2 changed files with 10 additions and 0 deletions
--- a/ca/bootstrap.go
+++ b/ca/bootstrap.go
@ -87,6 +87,9 @@ func BootstrapServer(ctx context.Context, token string, base *http.Server, optio
 		return nil, err
 	}

+	// Make sure the tlsConfig have all supported roots
+	options = append(options, AddRootsToClientCAs(), AddRootsToRootCAs())
+
 	tlsConfig, err := client.GetServerTLSConfig(ctx, sign, pk, options...)
 	if err != nil {
 		return nil, err
@ -130,6 +133,9 @@ func BootstrapClient(ctx context.Context, token string, options ...TLSOption) (*
 		return nil, err
 	}

+	// Make sure the tlsConfig have all supported roots
+	options = append(options, AddRootsToRootCAs())
+
 	transport, err := client.Transport(ctx, sign, pk, options...)
 	if err != nil {
 		return nil, err
--- a/ca/tls_options.go
+++ b/ca/tls_options.go
@ -95,6 +95,8 @@ func AddClientCA(cert *x509.Certificate) TLSOption {
 // AddRootsToRootCAs does a roots request and adds to the tls.Config RootCAs all
 // the certificates in the response. RootCAs defines the set of root certificate
 // authorities that clients use when verifying server certificates.
+//
+// BootstrapServer and BootstrapClient methods include this option by default.
 func AddRootsToRootCAs() TLSOption {
 	return func(c *Client, tr http.RoundTripper, config *tls.Config) error {
 		certs, err := c.Roots(tr)
@ -115,6 +117,8 @@ func AddRootsToRootCAs() TLSOption {
 // all the certificates in the response. ClientCAs defines the set of root
 // certificate authorities that servers use if required to verify a client
 // certificate by the policy in ClientAuth.
+//
+// BootstrapServer method includes this option by default.
 func AddRootsToClientCAs() TLSOption {
 	return func(c *Client, tr http.RoundTripper, config *tls.Config) error {
 		certs, err := c.Roots(tr)