Add system CAs for CLI

Signed-off-by: Doug Larson <larsond@us.ibm.com>
LiilyZhang · Jul 12, 2024 · e06b14f · e06b14f
1 parent 9543d04
commit e06b14f
Showing 1 changed file with 23 additions and 14 deletions.
diff --git a/cli/cliutils/cliutils.go b/cli/cliutils/cliutils.go
@@ -1098,20 +1098,29 @@ func GetIcpCertPath() string {
 
 // TrustIcpCert adds the icp cert file to be trusted in calls made by the given http client
 func TrustIcpCert(httpClient *http.Client) error {
-	icpCertPath := GetIcpCertPath()
-	if icpCertPath != "" {
-		icpCert, err := ioutil.ReadFile(icpCertPath)
-		if err != nil {
-			return fmt.Errorf(i18n.GetMessagePrinter().Sprintf("Encountered error reading ICP cert file %v: %v", icpCertPath, err))
-		}
-		caCertPool := x509.NewCertPool()
-		caCertPool.AppendCertsFromPEM(icpCert)
-
-		transport := httpClient.Transport.(*http.Transport)
-		transport.TLSClientConfig.RootCAs = caCertPool
-
-	}
-	return nil
+        icpCertPath := GetIcpCertPath()
+
+        var caCertPool *x509.CertPool
+        var err error
+
+        // Trust the system certs like the anax agent code can
+        caCertPool, err = x509.SystemCertPool()
+        if err != nil {
+		// Decided not to fail and return here but just create a new pool
+		caCertPool = x509.NewCertPool()
+        }
+
+        if icpCertPath != "" {
+                icpCert, err := ioutil.ReadFile(icpCertPath)
+                if err != nil {
+                        return fmt.Errorf(i18n.GetMessagePrinter().Sprintf("Encountered error reading ICP cert file %v: %v", icpCertPath, err))
+                }
+                caCertPool.AppendCertsFromPEM(icpCert)
+        }
+
+        transport := httpClient.Transport.(*http.Transport)
+        transport.TLSClientConfig.RootCAs = caCertPool
+        return nil
 }
 
 // Get exchange url from /etc/default/horizon file. if not set, check /etc/horizon/anax.json file